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E design for a secrre, multi-user. File Storazs System 
NI developed prp Dë pétange a concurrertly 
developed Security Ferrel, rrovides a multilevel secure 
flexible file storage serving a distributed system of 


dissimilar computers. The Security Kernel is responsitle for 


non-discretionary Comes. Classification and clearance) 
security and the "ile Storaze System UTE EEE ls 
responsible fer discretionary (e.2., need to know ) 


Security. Multilevel security is achieved by the controlled 
access to consolidated file storage for dost computer 
systems. Multiorogramming of s'rrogate Supervisor processes 
Ee On beralf of the Host computer systems orovides 
for system efficiency. ^ segmented memory at the Suvervisor 
level allows controlled Jata sharirz amonz authorized users. 
System integrity is inteperdent of the internel security 
controls for lack of them) in the distrihuted systems; tne 
Tile Storage System prevents system-wide security side 
effects. à loop free structure alone with system simplicity 


and robustness are desizn characteristics. 
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MA e ac ecuiriLy. ss a 2entrel issue In computer 
Science today. Tata security car be divided ints external 
ohysical aspects fi.e., guaris, ferces, etc.) and irternal 
system asvects ‘i.e., internal software ani hardware 


Meerations’; oetn of which are recessary for effective 


"D 


system security. The physical aspect is understood and does 
not pose a significant problem today. Continued loses (viz., 
money, data) die to computer error illvetrater treat. the 
second aspect af data security. vi7., internal security, has 
not been solved and cortinves to be a protlem. 

is werteamies pesults From She, fact - trat. Interrel 
computer security has not beer a mandatory desisr objective 
durinz hardware and/or software selection and/or  »roàuction 
most (if ^ot all)! corterporary computer systems. Tris 
peniers them prone to security violations from eccitential 
cr malicious penetrations [Schell(1)]. 44 hoe attempts ta 
Sr avide Lhe necessary system security in the later stages of 
the system design or irplemertation have rot zeneral!iv met 
with success. 

In contrast, this thesis presents a ‘design for a 
multiley2el secure computer ocperatin= system, tre File 
Storaze System (FSS) 1n which internal computer security is 
a orimary desian objective. Thera are two zoals his system 
is desizned to achieve: 1) to provide sharinz of dete among 
Buthorized users a-»d. 2?) control access to a consolidated 


‘warehouse of date. This controlled access to consoliiateid 


LD 


m 





data, predicates a star network for the system structure 
RE EE Ceed 1 T I. It must be noted, however, tha; the 
ASS carros cortrol the physical security cf the ost systems 


ard that "ost systems nave the ability to circumvent FSS 


J 


Ee EE Fmter=-530S5t cormunication lings. 0 
treserve deta security. all accesses to the FPSS coasolidatel 
data must zo through the #55 for access validaticn. 

Data sharing amone authorized users is accomolished ty a 
segrented environment which allows controlled direct access 
to all on-line data. The Security Kernel (or simoiv Kernel) 
IEEE Us| to iirstire that nor-discretionary date access is 
verformed ir an absolutely controlled (1.2., secure 


¡See [Coleman] for detailed inforration cn the Security 


Kernel.) 


! 


EN OC BLEM DEFINITION 


EI illo@ical to ignore the fact that computers mey 
disseminate information to anyone who knows how tc ask for 
it, completely bypassing the exvensiv® controls placed. on 
paver circuleticn.  tSchell'1)] 

Tkat this fact is siserored is demanstrated by the 
Bstimated 125 million dollars lost yearly by non-secure 
computer systems ir the United States ([Dernine(2)}. It is 
obvious that a primary problem/limitation of computer 
Systems in use today is the lack of data security. 4s 
recnirerents to store and access data by computer increase, 
the serinusress of this protlen/liritation cannot be 


ignored. 


A system that can simultaneously provide data at 
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Supervisor 


sesurity Xerrel 





Sisure 1. System Cenfizcuration 
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different sersitivity (viz., classification ) levels for 
users with ¿different access authorizations Ee 
melearences ) withaut a Security violation is said to be a 
multilevel secure system. Pecause it is usually not 


desirable to authorize all system users access to the 


te 


highest level of data /!' system hizh ) or provide separate 
en 


‘without sharing) systems for 


(D 


a level of data, a 
multilevel system is hiehly desireble. 31 multilevel system 
also allows the mraximvum amount of rontrolled data sharin> 


amore  a"thorized users, a primary zbal of any Aata storage 


Ersten. 

Previous research shows that a viable approach to the 
question DE internal conputer security exists. This 
approach, soretires termed the "security kernel approach. 


lSctell/2)], was introduced ty Schell ir 1972. I+ gathers 
into one module all elements that effect the syster 
Security. The module, by being restricted 19 sizs, can te 
perifled ccrrec* which in turn allows the tctal system to be 
certifed secure. 

The FSS software is comvosed of tne Supervisor and tre 
Kernel. It will provide a multilevel secure consolidate? 
file storaze for distributed Host computer systems. Tae 
non-discretionary security provided by tre Xerrel and thre 
discretionary security provided ty the Supervisor will 
implement a wide range 9° security volicies, including the 
standard Department of Defense TOP) security solicies. Data 


Sharire is achieved by a seemented memory envirorrent at the 





Supervisor level. The Supervisor uses segments ‘invisible to 
Ene Host systems) to construct the Host files. Multilevel 
security is achieved by the manazement of files submitted ay 
mee Host systeme which erist at distirct security levels. 
This allows the construction of a multilevel secare system 


which is deperdent on orly one secure element of the 


he dramatic reluction in $size ani cost alors with the 
Mmicrease in performance of microprocessors in the last 
decade has made their use feasible in areas that have 
previously beer reserved fer i ag cen computers (or rot 
comcuted at all). Whereas security has teen notoriously 
lacking i^ the larger systems, it has been non-eristent ir 
maicrovrocessors to date. 

ESCais@ sor "heir small size, low cost, durability, ard, 
perhaps most importantly, the manpower savinzs induced ' just 
to menticn a few of many advartages), microprecessors have 
Bigeh avpeal for use in a military environment. Towever, the 
military alsc has an cbvious need for security within their 
computer systems, whether they are micro, mini, or maxi 
based. 


rinz Systems 


iD 


For example, tre Navy is presently consid 
mmr tne next zeneraticn of non-tactical shidbeari comouters 
[Smith]. Thev vill be mainly used for data processing in tha 


areas of: 


I 
Cn 





Pay and Personnel 

Supply and Finance 

Maintenance. 

Sizes 24a speed constraints will socor be met ty 
commercially available IIE ers. Security, however, 


continues to be a problem net adequately aidressel in ary 


available systems. To preserve data confidentiality (not 


+ 


Sly witn resnect to clearance level tut also with respec 


to the current stipulations of the Privacy ict), security is 
peemecessarv part Sf any shipb^ard computer system. Pay 
records. fT or example, should not have the same access level 


as maintenance records, In order to store recor 


Oras a 
common lata base and to nave controlled snarir2 wrer 


avopropriete, the computer must te arles to maintain a 


mıltilevel secure errironmert, 


ct 
(c 


There are several possible approacnes ecriev> a 
Secure multilevel environment. The frortal apyroern, which 
most. dlifiricult, is to certify ell Aistrinutegd computers 


secon? 


ha 


which have access to the data hase as secure. 
method and the method adopted for the "SS, is to cerfify 
only one elemert cf the F55 securo--the Security fernel. 211 
access to the FSS that involves non-discretionary security 


will be validated by the Kernel. The FSS 


oct 
ES. 


arefor 


(D 


Dau 


pa» 
(D 


zuarantees to manaze files in a manner consistaat w 
FSS security policies. 
The design for the “SS is one membe” of a femily of 


systems propnsed by O’Crennell and Richarison [C’Correl!l. 
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Becurity, eonf leurausikon independence, and a loov-fres 


etructur> are characteristics of this femily of systems. 


me BASIC DVFINITIONS 


l; Security 


tlthouzh any viable secure system includes bata 
internal and erterral aspects, relying excessivelv on 
external controls is not desirable in mary cases due to tre 
added expenses and increased security risks involved in 
error=prone manual procedures. “xternal controls also canrot 
trovide the secure sharine nf deta that is needed in such 


applications as intesrated data bases and computer networzs, 


ct 
-4 


he FSS. The use of the ferne 


by 


Erinary characteristics of 
concept is a demorstratively effective and practical method 
Por proviline the internal computer security controls tnat 
are necessary fer a secure multilevel svstem. Tnis concept 
is at the center of the "SS desien. 

The basic corcept behind this approach is that a 
small portion of hardware/software, the Xerrel, can previde 
the internal security controls that are effective against 
all attacks, {malicious or accidental) includinz those never 
thought of by the desizrer. (This also means that errrrs in 


mie FSS Supervisor cannot cause unautharizeidi access to 


System security is the implementation of a security 
MARTE. This policy 15 a collection of laws, rules, and 


rezulatiors that establisk tre ruies for access to t^e data 
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EU the system. Such volicies, such as the one established by 
me TC). have two distirct aspects: discreticrary and 
Nor-discretionary security. VOdmac creo) 014 ry security 
meen ial v co»stPabus what access is yossible. Ir the 20D 
environment, the familiar non-discretionary security levels 
mre’ tcp secret. secret, confidential. and unclassified. 


Since most contemporary comouter Systems do not orovide tne 


data Vakelınz necessary PAS DUDO no ls cone tinas py 
BHeEcurity, all data is implicitly accessitle. In the FSS, 


segmentation allows unique identificaticr and labeling of 
data; ror-discretionary security is therefore supported. The 


1 


WË 


== 


Fei 


9 


Ui 


“ernel is the one element in pesponetole „For 
enforcing non-discretionary security. 

Non-daisererlänary security liivoives the comodrin= of 
tre access class of a specific object (object access class, 
f 
\ 


suolect 


ef 


(9ac)) with the access class nf the requestor 
access class, ‘sac)) to insure compatibility. Ira DOD 
ervirorment, for example, a person (subject) with sac of 
secret ras access to files objects) et any access class 
equal to or less than secret. The relationships between 
different access classes are revresented by e zartia!ly 
crdered lattice structure [Renrning(1)]. Tnis lattice 
represents tre authorized eccess based on the relationships 
of two levels. Ar example cf the not-relate?l fmekirs the 
lattice partially ordered} relationship, occurs because of 


209 compertmentalization» (e.g.. secret is not related te 


SS 


secret.nuclear). The ollowire accesses ere permitted for 


pa 
D 





mo relationships reoresented by this lattice structure. 


sac = oac  :real/write access 


oac :read access (read down) 


un 
(cb 
O 
NV 


Sg Occ Pe access write up 


Saco <> cae ono access (Sac not related to oac) 


In esch case, the Kernel must KNOW tae 
ilentificatirn of the Host system if it is tr perforr 
correct non-discretionary security checks. Unique system 
Mertification is provided by the system port number, which 
is kardwired, ard xnowr to the Kernel. 

Discretiorary security provides a refinement to the 
wm discretionary security policy ard ís reflected ir trke 
DOD "reed to xnow policy. Computer systems which have 
'ccess Control Lists (ACL) associated with data, implement 
mis discretiodary volicy, The FSS Suvervisor is resoonsitie 
mor the System discretionary security ard altroueh this 
aspect of the Systen security is not validated by the Kernel 
(and therefore rot certified correct), the validity of thre 
mon—-discretionary security is not affected. 

To implemert its aspect of security, the Supervisor 
needs to know the identification of the Host system “user, 
This Host system user identification must be passed to the 
FSS Supervisor ty the Host system. Since an insecure Host 
System cannot be trusted to rass the correct irfcrmation, 
the user identification is only as food as tne Eost system 


implementation. fi.e.. FSS discretionary security is only as 





zood as the Host System’s implemertation of discretionary 
security.) This implementatior may be zood on some systems, 
(e.g., UNIX fMorris]) but non-existent or other systems 
le.g., CP/M [Diezifal]). It must be remembered that this in 
May affects the enforcement of the ron-discretionary 


security by the Kernel. 
2. Process 


4 process can be described as a locus of execution. 
Ehe collection ef locations that may be accessed during this 
execution is known as the vrocess’ adiress space [Madnicx!. 
à process also has the characteristic that it mey be 
executed in parallel with other precesses, enkancinz system 
efficiency and allowing the separation of taszs into 
different orocesses for design clarity. 

The FSS has two processes per Host system. These are 
an irput/outnut (10) process for Supervisor to Tost data 
transfer and communication end a file management (FM 
process that cortrols ard maintains tne Supervisor file 
structure. Interprecess communication is achieved by the use 
of eventcounts, sequencers, and synchronivation primitives 


Eternal to the Kernel (described later). 
Š. sezmentation 


Segmentation allows for the direct addressina of all 
system on-line information end the application of access 


Bontrcl to this irfcrmaticn. Note thet direct addressing 
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Bes not mean random access to the on-line information. On 
the contrary, access to segments is controlled ty explicit 
memory marazement calls to the Kernel tn swap in/out a 
segment. A segrert can be defined as a 1lneical grouping cf 
irformatior such as a subrortine, procedure, data area, or 


file. Each processes” address space consists of a collection 


+ 


n 


(b 


of sesments. sesmented ervironment, all aldress space 
references require two componerts, e segment specifier and 
an offset within that segment. Seesmentation is used to 
provide the Supervisor domain cf each process a virtual 
memory of limited size. Seaments, as mertioned earlier, are 


med by the Supervisor to corstruct the Eost files which 


retain the attributes of sezments fi.e., access control). 
4. "ultiprozremmingz 


' multiprozr-ammei environment is one in which more 
thar one process is in a state of execution at the same 
tine. These processes snare vrocessor time, memory, and 
other rescurces amone the active processes. In the desier 
for the FSS, the Supervisor processes are nultiprozrammed in 
an asynhcronous manner ONG system ERTICTENCY, A 
"ultiprosrammine ervironment allows the Yost systems to 
Este In a Inzically parallel manner which adds fo Systen 


Pesien simolicity and clarity. 


TIE Otec ti or Donais 


^ 


One of the xey elements necessary for velii Kernel 





implementation is the isolation of the FTernel from all 


Br lezoutside influences, Ihis cap be done through tie 


Mee of protection domains. 


Protection domains ere used to arrange process 
address spaces into ‘rings [Schroeder] of different 


Mt ilesge. This arraneemert is a hierarchical Structure with 


-— 
M 


the most privileged domain being the inner mnost ring. Fizure 
eerepreserts the ring arganizafioir in the FSS. 

Protection rinzs may be created ty either hardware 
or software. Eardware is nore efficiert but is not 
commercially eévailatle in microprocessor devices today. Two 
state devices are arailahle, however, and oy imrmplererting 
the two states as sevarat® rirgs and Drovidine for Software 
Bin» crossing racharisims, the necessary two pretecticr 


= 


rinzs can De created. 


Mm oOLSTIM nEQUIZEMENTS 


There are no fixed hardware reouirements for the 
implementation of the FSS. System efficiency ioes, however, 
epen? on aer appropriate choice of hardware. Two basic 
hardware features that are felt to be necessary for a viatle 
implementatien of the FSS are segmentation and multiple 
domains. 

oegrerteticn is necessary for eccess centrol and data 
snarinz. ^ multiple state ‘two in this case) is recessary 
Mor the iselaticn of the Kernel frem the remaining (and 


uncertified!) software. 
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Outer Extended Machire 
Supervisor 


Inner 3xtended Machine 
Security Xerre] 


Bare Machine 
Eardware 
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Figure 2. Protectior Domains 
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Only tne Kernel nas access to o»rivilezei macaiae 
fs tructiors Ao sia system u3mput/cutout. It 
Brovides a segmented environment in which the Supervisor 
operates. The Supervisor in turr, provides a virtual file 


environment for the Host computer systems. 
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E SAGA 


A secure computer sy 


in 


ter is not dependent on the 
hardware or which it is implemerted. However, as nmentiored 
above, sezmentaticn and multiple domains are considered 
necessary for "SS efficiency. 

Seenentation allows the use of one uniform type of 
information object. the segmert, at the Kernel level. This 
simplifies Kernel desigr ard contributes to keeping Xernel 
Size small. 4 segment address consists of a segment name and 
offset within the segment. Althoueh this addressinz can be 
done ir software, it is faster and more efficient when done 
ir hardware. Hardware can also simultaneouslv chec for 
authorized access, a necessary feature of a secure systen. 

Multiple domains are currently used in some of the 
lareer machines to protect the operatine systems from tne 
gopnlications oroegrams. Multiple domains have rot, until 
recently, been available inr a microprocessor corfizuratior. 
The FSS design reauires only two domains, rre for the Xernel 
and one for the Supervisor. 

The Laprodyetisn of the ziloe 28022 series 
microprocessor meets both the segmentation ard multivle 
domain recnirements. The FSS is targeted for imolementation 
on the Z2¢@1 seemented? microvrocessor [Ziloz(2)] with its 
associated Memory Management Unit (MMU) [Zilog/1)!l. The 


2872231 is a 16 bit two-domain machine which produces a 23 bit 
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logical address. The 921? MMU mass the 25 tit lozical 
address irtr a 24 tit absolute address and allows the 
cavability of addressing up to 128 segments {with two MMU’s) 
of G4K bytes each (SM-bytes total) in a two-dimensional 
memory space. {See [Coleman] for further details.) 25-232 
pus compatibility is assumed for serial data input/output at 
the hardware level. This allows tyte synchronization and 
byte parity checks tc be performed et the hardware level by 


the FSS universal asynchronous receiver-transmitter {UART). 


END SISTEM ST7UCTUZXE 


1. System Levels 


Abstraction is a way of avoidinz complexity and a 
mental tool for approaching complex problems [Dijxstra'2)]. 
Tre use of atstaction allows the presentation of a system 
Mesign that is concise, precise, and easy to understand. 
There are four levels of abstraction for the FSS as 
oresented in figure 3. 


a 


Level 4 is the hardware level ard consists af tne 
2£0€1 microprocessor memory and some form of disc storage 
(initial implementation may be with floppy disc). 

Level 1, the Kerrel, is isolated and protected from 
manipulation (accidential or malicious) by being placed in 
the more orivileged domain of the 272731. Only the Kernel has 
access to "system  machire instructions anid controls all 


access to the system hardware elements /memory. disc). The 


Kernel provides a segmerted ervirormert in which the 
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Supervisor nperates. 

Level 2, the Supervisor, operates in the outer (less 
privileged) dorain of the 23701. It has access to "normal 
Machine instructiors, but must zo through the software 
Gatekeeper [Coleman] of the Xernel to set acosss to memory 
[viz., segments) and disc storage. The Sunervisor provides a 
virtual file hierarchy to each Host system for file storage. 
In order to manaze the file hierarchy, surrogate processes 
tirput/ontput {10} and file management (FM)) are assigned tc 
each Host system. These processes act on the requests 
submitted by the Host computer systems. 411 processes are 
created at system generation time and are not created or 
deleted in a Iyraric manner. 

Level 3 consists of the Host computer systems. These 
Systems are hardwired to tre 280041 in the FSS design. Fach 
oort has a fixed access level so that if a multilevel secure 
Hest desires te handle data at two levels, it must have two 
connections to the "SS. ‘Note that if the Eost is not a true 
secure multilevel Host, and does have multiple connections 
with distinct levels, then the FSS security constraints are 


circumvented.) 
2. System Protocol 


Protocole are formal speciticetiors waich constrair 
data exchange between systems and the YSS. These 
specificatiore allow the FSS to achieve tourded, deadlock 


free and fault tolerant communication. To organize and 
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Mmmolity protocol design in the FS>, protocol is logically 
Mmavided into a hierarchical structure of two interactine 
layers. Level 1 protocol handles pacxet ‘descrited later) 
ENUchrenizaticr, error devection, and command Ue 
determination. Level 2 handles the repetitive activity of 
data transfer. 

Data and commands are transmitted between YSS and 
Hest via fixed size packets. Pacxet synchronization is 
Becessäarv for HOS 5 Comma lca t lon. [aom 
Een Te n r rac t 1 09 beciosely related tc the problem of 
mecket synchronization; packets not in synchronization will 
not be correct. The corverse is not trus, koawever. A 


synchronized  pacxet may contain tranansmission errors. There 


are several methnds Por errar detection corrector 
[Hamninz). A design chnice of a simvle checx sum per pacxet 
‘to detect pacret errors) was made ir tke interest cf System 


sinplicity. If an error is detected in a packet, the Fost 
will be reavested to stop packet transmission and to bezir 
Mein with the packet in which tne error was detected. Of 
Bourse, the PSS must be able to provide the same service. 
This retransmission upon error detectior strategy, combined 


Mine byte varity checks performed at tre nardware level 
by the UART, will provide the error detectior/correction 


scheme in the initial FSS design. 
4. Host Environment 


The job of the FSS is to provide a service, viz., to 





store files in a secure data warehouse . The files are 
Submitted by various Host computer systems. The virtual 
environnent provided the Fost systems is therefore a primary 
design corsideration of the overall FSS5 desien. Desier goals 
are to make this Host environment simple, easy to use and 
understard, efficient and robust. 

The center of the Fost environment is tne 
hierarchical file structure maintained by the Supervisor of 
Me TSS. This file structure is a tree orzanization which 
facilitates desigr abstraction (virtual file systems per 
Yost) as well as file svstem searches via tree traversal. 
Figure 4 illustrates the overall logical structure of the 
Supervisor file system. 

A file can be defined, in the tase of the FSS, as 
one or more Supervisor segments zroupei tozether for the 
purpose of access control í(security), retrieval (read), ari 
modification (write) [Shaw!. In the FSS the file is the 
basic urít of storage at the Host system level. 

The hierarchical file system contains two types of 
files: 1) tata files, ani 2) directory files. Both file 
types are constructed from segments (invisible to the Zost 
Meters) at the Supervisor level. “he characteristics 
usually associated with a sezmented environment (Sunervisor 
level) such as data sharine and access control, are 
transferred to the file environment (Host level) ty the FSS. 

The Host system environment consists of a virtual 


file hierarchy maintained for each Host system (i.e., one 
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virtual file system per hardware port). 4 primary reason for 
having multiple virtual file hierarchies is to avoid the 
Eroblem of naming conficts which would eventually occur in 
the Supervisor hierarchy as the system zrew if per-host 
virtual file systems did not exist. Multiple directories 
also allow the Host systems to group related files into one 
directory, simplifving search ard Eost use. The Supervisor 
MTY control the duolication problem within a virtual file 
system by not allowing dvvlicate file names in a sinzle 
directory file. Pathnames are required t5 uniauely identify 
files ir the Supervisor file systems and must be included in 
the Host reouest. 

Access tr the Supervisor file hierarchy is 
Eontrolled in both a discretionary and non-discretionary 
marrer. The non-discretiorary access is controlled by the 
Yernel which will prevent a Host system from reading up or 
writing down (confinement prcperty). Discretionary access to 
the files is handled ty the Supervisor which comvuares  tn2 
Host.user (Host user combination) with the file ACL. 
Requested access is permitted only i? the Host.user is 
explicitly permitted access by the file ‘ACL. 

"ach Fost system virtual file hierarchy is 
constructed from data files ani directory files which, as 
mentioned above, are constructed of Supervisor segments. 
Although dynamic srowth and shrinkaze are usual segment 
attributes, a design choice for System simplification was 


made to fix sezment size at three increments, SMALL (512 





bytes), MPNTUM (2K bytes), arı LARGT (EX bytes). These sizes 
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were chosen as a compromise between expected sizes, 
mimpervisor buffer reaviremeats, and minimizing the numter of 
Software ring crossirss that would te required during a data 
file 'read or ‘store’ operation. Pecause sesrent size is 
limited and there exists the likelihood of en^ourtsrincz 
files larger thar the maximum sezment size, the concert of a 
multiple segment file (msf) is xnown to the Supervisor. 

Fisure 5 depicts the general tree structure of a 
NN Srvisor virtual file hierarchy. Directory files are 
represented by sauares and data files by circles. Data 
files, as their name imolies, contain data only. Directory 
files are constructed of a header and zero or more 
"entries . There are two types o? entries, branch entries 
ard lirk entries. 

TFranch ert$ries contain tke attritutes of the file 
which they identify. In fl Sure “oss for eramole,. the 
attributes of directory file User 1 'entry rame, ACL, size, 


type, etc.) are contaire? in Ai tory f 
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Menos a rar en 
M7 User 1. One branch ertry <cesigrates one sSuservisor 
segment. 

à link entry, represented by the dotted line ir 
figure 5, is composed of an entry rame” (link name) ard a 
pathname. [A pathname is the concatenation of entry names 
Npm'rz from the root directory and proceeding Ir 
secuential order to the specified file.) Lize a tranck 


entry, a linz entry is used to access a specific file. 5r 








Group_1 


“igure S. Virtual File Hierarchy (logical view) 
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eyample, in figure 5, the pathrame contained in the link 
Merry is Fost i>User S>Dir_ 1. Unlixe a Craven entry, 
hcwever. tre linx entry does not contain any file 
attributes. Access is controlled as tae Suoervisor traverses 
the specified cath to the requested file. 

The use cf link entries allows sharing of files 
among East systems ard among dost system users. Locos whith 
mieht be generated by two links which reference sach other, 
are prevented by the Supervisor. (Loovs could present a tree 
traversal problem to the Suvervisor.) 

Bach file has a file name (Entry Name--uniate per 
directory file) ziven ty the Host system at file creation 
time. This file name ani its pathname are used to uriouely 
locate the file in the Host’s virtual file system. Py 
Meaversing the virtual hierarchy. the Suvervisor can locate 
the reauested file if it exists in the system. In either 
case (viz. wrether the file exists or not), avprovriate 


action can be taken ty the Suoervisor. 


a. Directory File 


Figure 6 is e l9eical. reoresentetion 1. a file 
directory. Each directory file is made up of a neader ard 


Ero or more fixed size branch/link entries. A fixed 
directory size of L3Gz (8K bytes) was chosen to insure a 
reastnel ble amount of directory space for Hest system use. 


This covld tose a space problem, especially for secondary 


Storage. (Adequete main memory can te installei for reanired 
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Pizure F. Logical Directory Structure 








buffer space.) The Kernel, which stores segments as pases, 
ray want to ‘compact sezments by not storing on secondary 
storaze vages which contain all "zeros". This would greatly 
reduce the amourt of wasted space on secondary storage. 
(Another equally viable soluticr, but not selected for this 
design, is to have multiple segment directories in tne 
Supervisor similar to multiple segment data files.) The 
ector file header contains the following irformation: 

vegane. Blades. 15 the number or tranrch/liak 
entries in the directory. 

POTE Counte ENIS Wea Count | Of tue number 2292 
ACL ENTEY elements left in a no»l of sucr elements. 

If the entry is a branch entry, it will contain 
the following elements: 

E Name: “ntry name is the file name. The 
Host systems are resporsibie for supplyine these names dut, 
me mentioned above, will be preventei by the Supevisor from 


having duplicate names (file nares) in ore directory file. 


"5 


Recess outass: ns: “element contains -tres file 
access level. 

EA OR iS cn) Anis element, will 1ientify 
Boe entry as a brarch entry which in turr specifies the 
Entry format. 

HU ED PIS elementowill poirt to ar SCL for 
the reno entry. Lucio as BONLy - three distinct 


discretionary access modes: 1) “null access as the name 


implies, declares that no access is to be allowed to tne 








Specified Eost.user combination, 2) read access allows a 
Qualified  Host.vser to real a file only fi.e., no write 


access), 3) ‘write access allows a Host.ıser write access 
to a file falso implicit read access). The actual ACL will 
te a list cf authorized users in the form Host.user with ar 
Bssociated access mode. A don’t care authorization (in 
this case a *%, will allow zeneral access in that catezory. 


For example, *.user would allow the soeci?iei user to 
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ed Y stomo with a 
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access this file from any conre 0 


Nn 
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specifiei access mode. This AfL for entry user can easily 


be expandel ta include other categories such ae project to 
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further refine tne discretionary access allowel to e file, 


Pile aze oo bat OFT Allon e 1S) SRecesSsary «ior 
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PR adi ron PIL 


prover manazement of tne Fost  zzAD 
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Bommrands by tre Suvervisor, viz., lit allows the Supervisor 
EN calculates the number of segments that maxe 19 à multiole 


segment file. It will be supplied by tne Asst system in tre 


taj 


STORE FILE command request :in bits). 

D pc Lc This switch Celis the 
Supervisor the tyve of file tr which the brarch poirts 
‘data, directory). This is necessary due to t^e different 


file formats. 


File Created: This element is used fnr zer: 
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audit purposes, i.2., to have a permanert record cf the file 
Ereator ani the time cf creatior. 


Last Update: This element will identify t 
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lest 


Met and user t^a store irto the file. This identification 
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Bl be nf the form Host.user.date.time. This will allow the 
PSS to have a limited audit capability. The confinement 
Broperty  preverts the FSS from also xeepinsg track of read 
accesses since processes at hisher levels can read at lower 
levels but cannot write the andit information. Also rote, 
thet the Last Update information for ungraded directories 
may rot be accurate for the same reason, 

AE Sais a lit entry, it contains only 


four elemerts. Thes 


‚D 


are: 1) Entry Name tn idertify the 


E 


Bile, 2! Branch Linx Switch to identify the entry tyoe, 5) 
Link, a pathrame tr uriauely identify a file, ard 4) 


Ereate Time, the time of line initietion alone with tne 


+ 


EMENRLU:cP v5o created the link, All -attritute checking 1s 


done as the Supervisor traverses the specified path. 


Ln 


& FSS deslen choice is to limit all pathlenretks 
EX 126 bytes. This places some restrictions on tne Zcest in 


that lcn file names will socn consume the bytes availarle 


JM 


mer a pathrame. Fowever, this restrirtion can be overcome ty 
oathnames which contain several link ertriss, which car 
themselves be 122 bytes. With 32 branch/link entries per 
directory, there are an average of 32 ACL entries (3 bytes 
each) available to each branch entry. (Remember,lirx entries 
do not have ACL entries.) Figure 6 contains the initial 
Meld sizes for the directory construction. “he primary 
factor in calculating the size of branch/link entries is the 
Size of the link pathnane. This increases the size of lirk 


entries to 1635 bytes and althougn space is wasted in branch 
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Eg 5155. the simolification of System dssizen resulting from 
a fixed size o? tranch/link ertry is felt to be sufficient 


Eustification in the iritial design. 
t. Date Tiles 


Da Bremer leat nodas in the file 


hierarchy ard contain only data. 
ele ple oec rent Pile Directory 


A msf directory 1s a Supervisor Construct 
‘invisible to Host systems!) to maraze files larzer tran th 
maximum fixed sezment size. Because the number oí segments 
that will be required by the Supervisor %9 store a file car 
te calculated from the file size information vassed ty the 
Host, a msf directory need orly be a sezment of $size zero. 
This mazes the Kernel alias table (which is e fixed 
size--see [Coleman]) the limitinz factor in the maximum file 
size. The alias table nes the seme numter of entries as a 
Mipervisor directory Íviz., 32) which limits rarimum Kost 
file size to 2SCK bytes. Files that exceed the maximum file 
size must be split by the Host system. $^ attempt to store a 
file that is too large will result is an error condition 


response to the Fost and an unexvxecutei command. 
4. Host System Commands 


The Host commands provide tne orly interface tha! a 


Host system has with the FSS. Each command is interpreted by 





MESS ari acted upon by surrogate supervisor processes; 
the Fost system has no direct access Lo Lhe 755. Tnere is 
one acxnowledzement between the Host ard YS> at tnis level. 
This is a ‘command complete acknowledgement that informs 
the Eost system that the Supervisor nas complete? action on 
Bus request. If an error condition occurs, the aporopriate 
error code is returned in the acknowledgement. 

‘nother asvect of the Fost environment needs to te 
defined alse. The Fost environment can be divided into two 
states: thev are the oli state, before the FSS nas acted 


upen the Host request, and the “new state, which occurs 


=, 


Mater action has teen convleted by tne FSS. Tne soecific 
state of tne FSS at any irstant is indeterrirate at the Ecst 
Mevel if more than one Fost is accessing the same file of 
the FSS at ore time, That is, since Supervisor processes 


execute in a completely asynchronous manner, the FSS state 


txj 


may change after a Host command is sent but before tre SS 
ENS cn the command. This will not affect the vserfornance of 
Mie System or validity of its security; Host commanáis will 
Merexecuted as a single, atomic operation in tre FSS state 
in which they are received and interpreted. The Host will 
get some “correct” response for some state existing between 
the sending of the Host command and the FSS ackrowledzemert 
on the same cormard. Tris allows several Hosts to safely 
eyncrronize their actions external to the FSS. 


The follewing is considered tn be a ririmal subset 


of commands available to the Fost System for adecuate file 
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control. Figure 7 illustrates the reanired discretionary 
access attributes. The files are referenced in the Fost 
command lors tantas fron the root of the Beet 
virtual "ile system. The pathname specifies tne parent 
directory file (containing access attributes of the file), 
ani the file (data or directory) to which the Yost command 
refers. All commanis require a pathname for unique file 
identification. Fach command also reouires the soecificatior 
of the Host system "user in order for tre Supervisor to 
perform discretionary security checks. This ‘userid will ve 
supplied by the Host system or the Jost system user, which 


ever is appropriate. 


CATE FILE <pathname, access class, file type 
(directory, data)>. This command requests that the 
Supervisor create a branch entry in the specifiel directory 
under the specified file name at tre specified access class. 
Ar initial access mode of write will be siven to file 
Mator and may be altered by the use of the ADD CL ENTRY 
and DELETE KCL ENTRY commands. This is the only Fost cormand 
where file access class is specified. It is used in this 
command to create upgraded irector” Tiles, 217 -desired. 
(Mata files may not be uvaraded-—described later.) In tre 
initial implementation (with single level Hosts), there will 
bo no upgraded directories within a Host virtual file 
system. Iritial data file size is zero; initial directory 


file size is LARGE (SK bytes). Actions taken: 


1) The Supervisor locates the root of tne virtual 
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file system for this Host ant does a tree traversal to 
locate the parent directory file. 

Beit the perert directory file is not found or 
found but write access to the parent directory file is not 
allowed, ar apprepriate error code is returned ¢ file rot 
found or write rot permitted ). 

Silt the directory file 1s found, and room exists 
En the directory, the new file is entered in a tranch. As 
mentioned above, ro duplicate file names will be allowed by 


the Supervisor. 


CHEATS LINK <pethrame, link ,userid>. This command 
requests tnat the Supervisor create a link in the specified 
Mirectory under the specified file name. As already 
mentioned, the Supervisor will not allow lirks to form 
BSops. This is done by restricting the maximum number of 


files in ore pathrame to F4 files. (This fizure is reacreàd 


ti 


ty allowing a maximum pathlength o 128 bytes and having 


file names of ore character. File name delimitors of one 
character, viz. ">, will give a maximum pathlength of 64 
files.) By keepire track of the path traversed, the 
supervisor is able to determine if and when a loob is 
ferred. Actions taraen: 

1) The Supervisor locates the root of the virtzal 
file system for this Host and does a tree traversal to 
locate the parent directory file. 


DLL EE directory file iS nət found or 


found but write access to the parent directory file is rot 
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allowed, ar appropriate error code 15 returned. 
3) If the parent directory file is found and rcnm 
exists in the directory, tre link is entered in a link 


entry. 


DELETE PILE <patkname rend > PHIS command 
requests that the Supervisor delete the specified file from 
EN virtual file hierarchy. For  3esizn simplicity, only 
termiral files (ircluding msf's), can be deleted. This means 
Bert directories must be empty in order to be deleted. 
Actions taren: 

2... The Supervisor locates the root of the virtual 
file system for this Host and does a tree traversal to 
locate the parent directory file. 

ZI arent, directory file is not foual ðr found 
but write access to the parent directory Pile is rot 
permitted, an avtropriate error code is returned. 

3) Ctherwise, if the file is located, it is deletel 


oy the Supervisor. 


READ FILE <pathname, command typejdirectcry, data, 
Size) ,userid>. This command requests that the Supervisor 
trarsmit to the Host either a data file, directory file 
‘selected elements only), or the File Size, Last Update, ani 
Access Class (entry data) elerents associate] with a 
particular file. An explanetion of the last parameter, to 
transmit entry data orly, needs some explaination. 


Branch entry elements car be lozically divided into 
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CA 





two categories with respect to discretiorary security. The 


First catezory, ME includes trtry Name, 


L Ptr are branch 


O 


Branch Link Switch, Access Class, ard A 
entry attributes which carnot be altered by a Toast process 
unless the process has discretionary write access tno the 
merectory which contains the file branch entry. 

The second category, which contains File Size and 
Last Update, are attributes which ‘belon2 to the file and 
must be updated when the file is undated. A situation may 
exist where a process may not rave any discretiorary access 
to a directory but may have discretionary read access toa 
file in the directory (plus implicit access to the rest of 
the directory during the "search ). In order to read this 
file, the Host system will need to know file size ir order 
to vb repare to receive it. This is tne situetion where the 


READ FILE (size) command is needed. Actions taken: (for data 


1! The Supervisor l^cates the root of the virtual 
file system for this Fost and does a tree traversal to 
PBG ate the desired directory file. 

2) If the file is not found or found but read access 
to the file is not allowed, an appropriate error message is 
E turned. 

3) Ctrerwise, the file is transmitted to the 
recuestina Host System. 

(for directory file) 


1) Same. 
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2) Same. 

3) If the directory file is fourd and read access 
allowed, selected elements of the tranch/lin« entries are 
Beturred to the Eost. 

(for file size) 

1) The Supervisor locates the roct of the virtual 
file system for this Host and does a tree traversal to 
lacate the desired file. 

2) If the file is not found or found but read access 
to the file is not Dermitted, an appropriate errar code is 
Beturned. 

5) Otherwise, the File Size and Last_Update elements 


are returned to the Eost. 


STORE TILE <pathname, file size Susepid». nds 
command requests that the  surervisor store the sperified 
file in the FSS. Actiors taken: 

1) The Supervisor locates the root of the virtual 
file system for this Host and does a tree traversal to 
locate the data file. 

2) If the data file is not found or found tut write 
access to the data file not allowed, an appropriate error 
code is returned. Note that Host systems can store only data 
files; directories are ‘built by the Supervisor. 

ó) Otherwise, a store operation is verfarmed by the 


ESS. 


READ ACL <vathname ,userid>. This ccemmand is used dy 








Mie Host systems in conjunction with the 3DD $CL ENTFY and 
DULYTT_ ACL FNTRY to adjust (give/rescind) the access mode 
(read/write) allowed to a Host/Host user to a specific file. 
Actions taken: 

1) The Supervisor locates the the rrot cf the 
virtual file system for this Fost and does a tree traversal 
tc locate the parent directory file. 

er it the file js ot found or is fouacd but read 
access is net allowed to the parent directory file, an 
appropriate error code is returned. 

3) Otherwise, the supervisor returns the file ACL 


for Yost system user examination. 


ADD ACL ENTRY <pathrame, ACL Srtry ,userid>. This 
Bommand reauests the Supervisor to add to the specified file 
E DL the specifie? ACL Entry (Host.user combinatior plus 
associated access mode). !s with the previous commands, the 
access is checked for correctness hy both the Supervisor and 


the Kernel tefore any action is taxen. 


Depo fee CL Ni hie coathname, ICh Entry ,userid>. Tris 
command requests that an ACL Entry be deleted from a file 
ACL. Again, appropriate discretionary and non-discretionary 


checxs are made before any action is taken ty the FSS. 
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APOPT. This command reavests the Supervisor to 


executior of the present commard and return the file sy 


tn 


tem 
tO its original state. There are orly certain Locations ir 


the erecution of Host commands thet the Supervisor is able 
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me interupt. If an ABORT command is received after an 
operation has teen completed but before the final Host 
acknowledgement is sent, the original command completion 
will be acknowledzed and the abort command will te? ignored. 
Otherwise. action of the commard will be halted ard the 
Supervisor will wait for another Host command. All Host 
commands (including ARORT) will be explicitly acknowledzed 
with either a “command comovlete messaze or an appropriate 


error code. 
E PROCTSS STRUCTURE 


There are two Supervisor processes which act on behalf 
of each Yost system (hardware port). The inout/cutput (10) 
process and the file management (FM) crocess. The IO process 
is responsible for communication and data transfer (via 
packets) between the Supervisor and the Yost systen. The PM 
Brecess is responsible for managing the ver-Host virtual 
file systems and providing overall FSS control. 411 Host 
commands are interpreted by the FM process; the IQ process 
acts in a slave mode to the "M process. Acting together, 
the FM and IO processes interpret and execute the file 
management  reauests of the Eost systems. Kernel primitives 
READ, ADTANCE, AWEIT, and TICXET used in conjunction with 
eventcounts and sequencer “described later), are used to 
synchronize Host surrozate process execution. 

Both the FM and IO processes call ən Kernel orimitives 


to perform actual segmert manipulation. The normal order in 
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which thes calls are made is fixed by the Xerrnre! design. To 


add a sezment to a D ess memory, the orüer of Zernel calls 


E. 


0 


O 


is: 1) Catexeeper.^reate Segment, 2) Cetexeeper.“axe Xnown, 


and 2%) 


C3 
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atekeeper.Swap Ir. To elete a seemert from a 
process memory, the order of Kernel Calle To: 1) 
Gatekeeper.Swap Out, 2) Gatekeeper.Terminate, and 3) 
Gatekeever.Delete Sezment. The Suvervisor procedures use 
these invokation orders. 

There are three levels of abstraction for a Host 
surrogate process, They are: 1) the level at which Host 
commands are xnown. 2) the level at which files are xnown, 
ard 3) the level at which Supervisor segments or pacxets are 
anown. These levels of abstraction should be keot in mina 
when readire the FM and IO process descriptions. 

A design choice to simvolifvy file system maiitenance and 
Bontrol is tc allew uvgradinz of only directories (e.e., 
unclassified to secret). This will eliminate the oossibility 
of having a secret file in an unclassified directory, a 
Situation which would prevent uvudatine of the file branch 
data by the secret process sirce writing down is rot, 
allowed. This restriction is not felt to exclude any 
significant FSS capabilities and provides for a simplifie? 
implemertatior. 

The modular construction of the FSS enhances System 
structure. ^11 data bases, excep: the files themselves, are 
module local. Code is expected to te written in  PLZ/SYS 


[Snook], which is a high level pascal-like structured 








prozramrirz lanzevaze. Pecause of the its length, code is 
mecated in Appendix C. The code listed in this appentir 
gives the interprocess and intermodule control structure of 


the FSS. 
1. Shared Segment Interactions 


Supervisor process execution occurs in a completely 
asynchronous manner. When a process is refered to in the 
following discvcvssions, the two Host surroecsate processes are 
being referenced; these surrogete processes have the same 
Clearance levels as the Host they represent. 

As already mentioned, the task of tne FSS is to 
provide a service. To be of maximum benefit, this service 
should be unambieuo:us, easy to use, and rotust. 

Lee maian » problem» that ae FSS must Frandle for 
örnper System security is the confinement protlem, viz., to 
prevent a process from readinz a file wit! a hnierer 
wes sification or writing ‘i1.e., storing or updating) a file 
with a lower classification. This icb is handled entirely bv 
the Kernel, 

Another problem closely related to the confirement 
problem which also irvoles the Supervisor, is the 
"readers/writere” problem [Courtois]. In order to preserve 
file interrety, readinz and writine of e shared file cannot 
be allowed at the same time. Since a prirery objective of 
Bie FSS is to provide for the sharing of files, this problem 


will certainly occur and must te handled properly for System 
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viability. 

35th the confinement problem and the readers/writers 
problem can be solved in ore of two ways. Mutual exclusion, 
a mechanism whick forces a time ordering on the execution of 
eritical regions, forces concurrent processes irto a total 
order execution sequence. [his is counteroroductive to the 
Murpose of a process Structure, which inherently allows 


concurrent execution of processes. 


1) 
Fh 


A second ard relatively new method is tne use 
eventcourts and senuencer [Reed] to control access to 
Eritical rezions. This metkod preserves the idea of 
concurrent  processirg to a ruch greater ertent. Ar 


eyentcount is a otject thet xeeps count of the rumber of 


raj 


events (in the case of tre FSS, segment reai/write accesses) 
Met have occured so far in the execution of the System 
procedures. These eventcaunts are associatei with tre 
Suvervisor seements. They are accessed only via Kernel calls 
and can be thousht of as nor-decreasine inrtezer values. Each 
Supervisor sezment has two eventcornts associated with it, 
one to keep track nf the read eccesses and one to keep tracx 
of the write accesses. 

A Kernel vrimitive ADVANCE sizsnals the occurrence of 
an evert (read/write Segment access) associated with a 
Derticular segment eventcount. The value of an eventcount is 


the number of ADY2NCE operations that have been verformed or 


1t. A process can observe the value of an eventcount ty 


a 
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either AD'Seg #, F), which returns the value directly, or 


ER 
— 








EN n7 Sees 4. v. t), which returns when the eventcount 
reaches the specific value t. 

à sequencer is also necessary to solve tre 
confinerent and readers/writers problems. Some 
synchronization problems reauire arbitration (e, zx two 
write accesses to the same segment); evertenunts alone do 
not have the ability to discriminate between two events that 
happen in an uncontrcellei ‘i.e., concurrent) manner. & 
seauencer, like eventcounts, can te thonsht of as a 


non-decreasing intezer varietle that is initially zero. Back 


- 


Supervisor segment has associated with it ore sequencer. The 


K 


only operation on a sequencer is a Kernel orimitive 
overation called TICXET'Sez 5, S), which, when ayplied to a 
sequencer, returns a non-nepative irteger value. (Similar to 
getting a ticket andi waitinz to be served at e tarber shon.) 
Ewo uses of TICKTT(Seg 2,5) will return two different values 
corresponding to the relative tine of call. 

The segmert number associate? wach these 
Meeerronization primitives informs the Kernel of which 
segment is being refererced. The use of evertcounts and 
seauercer can be illustrated ty examining the following two 
procedures ‘read <> as not equal). The FSS implements these 


memctions in the Directory Contro: nodule located in the FM 


process. 








PROCEDUPE reader 
PRGIN INT GPR ws 
abort: w := READ'Sea 8,35); 'zet reader eventcount! 
AWAIT(Seg 4,C,w)5 !walt until write complete! 
"read file; 
if READ(Se2_ 4,5) <> w THEN SOTO abort!read again! 
END 


PROCYDURY writer 
REGIN INTEGER t5; 


ADVANCE(Seg_#,5); !incremert reader eventcount! 
t :- TICK?T(Sez #,T); 'get seauencer! 
AWAIT(Sez_#,C,t)5 EE EE EE 
read and update file ; 

ADVANCT Seg 4,0); l'increment writer eventcount! 


END 


The Kernel Will entorce the confinement proverty ani 
Beevent the application of the ADV4ANCs ani TICALT primitives 
to segments with an access class 19°55 than the Yost access 
Blass. Nat te do so, would allow a communication path tc be 
created tetween two different access levels. The two 
Bventccunrts a Supervisor segmert will nave associated with 
Mm (in the Xerael) are a write aventcount, C, and a rea? 
eventcourt, S. Fach seemert will alse have a senuancer, T, 
associated with it. Tventcounts and seauencer are initially 
Zero, 

Trese evertcounts and Sequencers, with their 
associated Kernel vrimitives, are used br the FSS to oerform 


the syrchronization funetiors of "lock and Wakeup [Coleman], 


described in the original Xernel dssien. Frertcourts ara 


peaqrencers provide a clearer picture of the Process 
interaction as well as explicit Control of tne 
readers/writers problem. Even more importantly, they 
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permit he synchronization between processes c? different 
access levels. This is essentia! in order to permit a hier 
level Host to read files of a lower level. 

There are two groups of Eos* requests. Ihev can be 
/ 


eauests 'e,2., AD FILE, 250 


— 


classified as read 


J 


— 


D 
write requests See Oo EATE PILE, STORE EIL), These 
Batesories can be further subdivided into real 1 
Mead directory file and write data file, write directery 
file subcatezories. "ach catezory type must be hendiled in a 
proper manner ty the supervisor to irsure file integrity. 
Bach category will be discussed in turn besianiae with tae 
read file cateenry. 

There two conditions vhich might develnd over whith 
EBepdrocess has ne control: file nplate by ancther Dro2ess, 
end file deletion by another process. An example of file 
npnate misht rccnr while a secret process 1s traverslre a 
file kierarchy ard is ir the middle of searching the 
directerv for av Entry Name when another process iat the 
directory access level) updates the directory. Since the 


secret process will EAD the segment reader sventcount, 5, 


before and after the search, it will know that the data it 


(D 
un 
iw 
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had obtained is possibly invalid. Although there do 


appear to be a problem with allowing the  'readinz process 


1) 


tn re-read the directory file until a ‘gon? read is 
Menieved, a closer ezaminetion of this condition should te 


Mane at implementation tire, viz., is it possible for a 


Kei 


writing’ process to alter the pathname of a  'readina 





Erocess so that an inconsistant state 15 achieved for the 


fa 
rJ a 


Beadinz orocess? 4 possible solutior could reauire a procsss 


- 


which suffers a tai read to begin the traversal over, 
bezinninz at the root directory. 

vnen a directory is tein2 read to pass directory 
Meta back to a Eost, the directory data is out in a buffer 
and sent from there. 

A single segment buffer may be to small te hold a 
Mate file ''e.gz., maxinum file size of BERN Dates]. 
Therefore, to present the Eost with only valid data, a data 
file tuffer is needed at the process level. Since this 
buffer will be at the process access level, it cen be locked 
mee the process to insure that no other process interfers 
uring tke readinz operation orce the data file is ir the 
buffer file. This covying of the data file is tone ty the FM 
Mmeocess and tbe IO process wili real the file from the 
buffer file when transferinz the file to a Host system. The 
choice of maxinz a coty of a data ?ile is awxwará cut 
considered necessery in order to provide tne Host with only 
atomic operations, i.e., to prevent tre situation from 
occuring where half of a ten segment msf is transmitted to 
the Host and the file is either undated or deleted. 

The other condition which may arise d.rinz a files 
pead is a file deletion. This situation occurs when one 
orncess is reading a file andi another orocess deletes tne 


Same file. The first process, not knowinz that the fils 


e A 
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lseznent) has been deleted, will trv to reference the fil 


(D 
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azain. A hardware segment fault will occur and cause a 
transfer of control to the Xernel. Note tnat in tris 
E tuation, it is the higher access class process which will 
Buffer the fault while it is readinz a lower access class 
file. To handle this problem, viz., the Superviscr segment 
Mult, a farit handler must te part of the distribute? 
Supervisor. A Xerrel primitive alse reeds definirg. This 
primitive,  ^a*tekeeper.On Fault ("avlt cordition, @ntry pt), 
is called ir the initialization of the Supervisor process 
where it is possible for a segment fault to occur. A call to 
a Suserivsar cordition establisher is also necessary. This 
will place a specific conditior handler on a condition 
Btack . If a fault occurs, the Kernel returns to the 
Supervisor fault handler with a  'sezmert Zait error 
wn tior. This fault haniler in turn trans*ers control to 
the condition handler at the top of the ‘condition stack 
which can nake a normal return from all procedures. When the 
error condition is detected ‘from the returr cole) by the 
aporopriate Suvervisor level, action is taken, viz., the 
Host command in re-initiated. Sirce the file (seementís)) 
has been deleted, this reinvocation may well result in a 
'Sezment not found’ error condition being returned from the 
Kernel and a "file not found error condition being relayei 
to the Host. When the Supervisor exits tre sezrent fault a 
“revert command is necessary to remove the condition 


Handler fram the condition stack. 


Another side benefit of havine tre Supervisor do all 








the. actual file reading (ard therefcre take all the segment 
faults) is that it prevents a hariware fault from occurirg 
uring tne actual daté transfer in the Kernel during IO 
Brocess execution; this condition would force “he handlinz 
of the fault in the Kernel Aomain--a difficult task. 

Writinz a file is a more straizht forewar? task ard 
presents fewer problems. This is because a writinz process 


h car prevent. ali 
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has the same arcess class a 


A 


in 


egmentis)) it is concerned witn. 
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ther access to the fils 
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To alter a directory (CREATE FILE, DELETE FIL 


t+} 


M ucc. t3 
Erocess will «set a ticket Goethe directory and perfora tns 
necessary raripnlation when its rumber is called. In order 
to store a file, more care must te taxen. If a process were 
mellowed to store directly írto the old file, the possibility 
exists that a software or hardware error mizht result in e 
Partially upiatei file and loss of file integrity. To 
Brevent this from occurring, a data file is first stored 
Ert^ a temperary file set up by the FM process. This also 


Wonne the original file to continue to te read by otaıer 


du 
ct 
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processes while the Ounae is. aci “Cr. "ra 


significant advantage if the data file is long. After the 
file is stored by the IO process, the FM process pets a 
ticket to the file directory and when its turn comes,  maxes 
the  "ecessary directory uodates, viz., the terpnrary file 


Memes subsituted for the old file :ntry “eme, Last Upiete 
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. (If the file 
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information  charzed, ard the o!d file delete 


F 


is a msf, each seenent is, of course, deleted.) 
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The FM process is Composed oof the five modules 


em 


Bepictei is firure (with asseciate? Kernel calls). The FM 


d 


Erocess is tha controller of the FSS and directs ali 
inrteractio" between the FSS and a nost system. Zach module 
which makes vp this process will be descriteä alonz with tie 


Brocedures which mare up the individual modules. 


a. File Manazement Command Nandler Module 


(Se eo ie e a Te E Comana Sandler 


+ 


C2 


module see Appendix v "Be 124) is at the toy of tne FM 


process hierarchy. This is the level of abstraction at which 


Host commands are “known . This module is responsitle for 
interrrocess communication and synchronization ‘with tne IO 


rocess) and Fost command interpretetion. Interprocess 


"CH 


a 


Bommunicationr is achieved by the kernel primitives TICXI3T, 
ADVANCE and AWAIT whicr act en an eventcount assrcieted with 
Mie shared mail box seement, Fizure 2 shows the loziral 


Ei ustr"uctlon ar’ the data base descripticn of the mail bo 
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m. 


Mizure 17 is a list of the procedures contained within the 
FM Command Handler module and. their. insut end Hutpm 
parameters. 


The 


bay 


Arona shad Droced ire 15 tna enti “oroceiure 
EE e FM Command Eandler module. This is tar control 
procedure of the module and is responsible for routing Host 


commanis IE ocn pce "e bconmandepandler procedures for 


Betion. Wnen notified ty tre IO process that a comnanä 
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Figure 2. "M Process Modules 
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EE p nO rSn the ka process retrieves the 
Bommand and beeins appropriate action. Ihe '2ost  commari 
NS DOE IL seal FILE) is actually an ertry into a 
ES -oscaseusrui unica directís the correct ¿mM Command “andler 
Erccedure te take actior. zack Host commard has assoCiatel 
with it, at this level, its own procedure. 

Because the procedures of the module are 
Æl atively straiert forward, they will net be discussed ir 


Eetall. "he general fun^tions of all the procedures in this 


B 


t3 e 
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QUOS. dn 


iA 


culs are to pass instructions to t^e IO p 


Directory _Cortral module, the worrhorse of t! 


CY 
iD 


EM Drocess. 

Some explanation of Fost conman?d varameters is 
ir order, however. These parameters (tescritei below) are: 

pathname 

mx 

file type 

command type 

file size 

access level 

userid 

arL entry. 

In all hrst comranis, the vathrame passed by the 
Fost is the pathname (relative to the roct directory of 


nt beer ttle sr sig terest ; 


ct 
rD 
g 


the Hest virtual file sys 


whether a directory or data file. “rom the pathname, the FM 


process is able to extract the  pathname of the parent 
Mrectory kick 1t must brine into the FM process memory to 


C 
pa 








check DAL ooper discretionary access. Ihe complete 


nathname, in t2r»ms of? the FSS file system, 15 passed to the 


c+ 


Meco y Cortrol module for actual directory manipulation. 
* pathname and file size (for the 'tuffer file ) is returned 
fdir pathname, dir file size) ty the Si mester neo e | 
mole during a "ost RESD PIL? cr STORZ "ILS reouest. This 
new pethrame and file. size is passen to theo IO process where 
mec actual data transfer takes place for these ogerations. 
since discretionary security checks are made in the FM 


preeess and all input/output tuffers [(e.2., temporary date 


file, mail bor sezment) are under positive F^ process 


pontrol, the TO, “orecess nee} not be. corcermnel with 
discreticnary security or the possibility of a segment 
fault . 


A linz 16 a oatrname nich & Host oasses in the 
eG fT LINZ command. 

Malo Ty Ge, 16 sed for Ee Flot get 
Parman) and is necessary because of the differert file 
Formats. 

Command type is used in tne EA FILE Fost 
command to specify the tyre of read the FSS is to conduct, 
1.0., to read a directory file, a data file, or only a data 
file size, 


Wile size is opasset hy the Hast during 
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EL 
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‘cf 


ILE reouests. Tris information is necessary for the 
E^ process tco create a temporary file of sufficient sizes te 


Store a Host file. File siz 
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is relayed to the IO process so 


Es 








ot 
ct 


the HN EE EE to tre lata file without 
Mavine tre check the directory file for File size. File size 


== in tits. 
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Access level is remei for 
Fommard. This allows for uperaded directories 
leta files cannot be upgraded). 

NBesidensıticeatlion nlutne Host systern wser, is 
Mires sary for the FSS to perform discretionery security 
Mmeecks. This is providei by the Kost system trrouszgh the 
userid varameter. 

2M on cus ser witha tie ey De “Gl svat ‘and 
WEEK 155 FNTRY commands to eive/rescind drC Stono] 


access ton files. 
De Jisectory GCortral Module 


In rectory oO oo Mode ae "ng dame 
lies, ices the directory manipulation and maintenance. 
Mi=>zure 11 lists tre procedures which maga up tais todule 
alonz with their input/output pareneters. 

Mme 716 he, Level 02 the PK process Yat.cunter 
EN: are known. The Directory Contorl molule nandles tre 
E ugi ter problem with the appropriate use of the 
Eel  syaicronizetion primitives 2540D, ADVANCE. AWAIT, and 
TICKET. It handles tre sesmert fault condition by a call to 


Ene condition estahlisher when the oossibility of a sesment 


fault exists. The IO process uses the same nrimitives  wrii 


rh 


Eg ormins its portion of the data file read and store 
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ooeratinıs, viz., the trea traversal when locating tne date 
mile read buffer or the temporary storaze file. As 
Previously mentiened, the IC precess will rrt face the 
orotiem of file deletion while reading anid will therefore 
met have to establish a condition handler. 

Lozically, Host  recuesis  reduire four basic 
actinrs tn be performed at this level. They are: 1) to brine 
B directory file into vrocess memory for a read and/or write 
Boeration, 2) to delete a file, 3) to create a file, or 4) 
NN copy a data file into a data file buffer. 4111 otrer file 
Mea Lerarce furrtiors such as manarinz memory or manaeirz 
the limited number 3f serments availatle "oa process are 
performed by siporugglmqu e modules. There are three 
procedures in this module. 

The ITE T 2155 ENS 
merectory Control eodule PROS Ue OLEA. memes Pros, 
BommendsS wich reqrire that the varent directory be  ^roue^t 
mimeo process memory in order that required discretionary 
security checxs car he made. These Host commands are: 


Eet 


EE EE EE directory 
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sezment which contains tne file pranch/linz entry) must be 


Wrovert into vtrorass memory TO Chack Lor js 


discretionary à Je access 1s permitted, 
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Besment Sandler module is called with a pathname 


seement reauired t5 be brouzht into process nemenry. 
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RN 


taj 
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Ee 


txj 
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del 


FOT action or 
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discretionery write access to the directory is rea 


Mace 'he branch/lin= entry of the file must be renrved 


LD 


the directory when the file is deleted. (Note that 
meses the pessibllity cf a Kost havinz write access 


file but not able to delete it becarse he des not 


ropar 
the 


of a 
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Mete access to the directory.) If the parent directory file 


E ot found or found tut write access to tne directory 


Maemitied an aporcporiate error cole 1s returned, Viz., 
Ent found or write access not permitted . 
LS can- rror -Gondition «does not arise. 


E roctory is brrouest into precess memory ard a caecz of 


OL 


Bile attritutes is nale to determine file tyre (data, 
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Mirectcry, link). If it is a data file or link entry 
be deleted because it is a terminal molde in tne 


Rierarchyv. If it is a directory, the (directory) file i 


tsel? 


mest be brousht into process memory to see if the directory 


ENenrty 'viz., c"Sck of Entry Count ari ore 


LN 


arca 
Mibervisor temporary file}. I? it is not emoty, an 
Bode of not terminal file is returned to the Host. If 
Mirectory is embty, it can be deletei. 


Te nn error Gon DESEE aCecHPscurIae 


DM 
DO 





preceding checks, the file may 'sutject to check by the 
Merrell) be deleted. T-e Dir Cntrl Directory procedure will 
Fall on Seg *nà Make Unaddressatle orocedure which will in 


turr call Mem Bai Swapcut rocedure to remove the segment 


H 


from process memory if it is in memory. íZ2emember the actual 
order: Swap Out, Terminate, Delete.) Vert, the Xernel 
primitive, GCGateVeeboer.Delete Segment is called Lo deleta the 
Mile from the FSS. Nate that in the case of rmsf%s, these 
steps must te reveated until ell segments of the file ars 
deleted. At *this time, the brarch entry is removed from the 
directory by zeroing all branch entry elemerts ‘to allow for 
1 secendary storage compacticr of lisc pages of veros). 
Ene IO Dnocssscis vhen instructed to acxaowledzs the Fost 
with file deleted”. This frees the entry fer future use. 
The deletion of a link recuires the same 
Biscretionary write access tr the directory. In this case, 


no further checks are necessary and tne ling entry elements 


ere zeroed in the directrrv, fresing the axnitry for re-use, 
“or the “R®4ATY TILT command, analozous action is 


EN bv the Dir Onfri! Directory procedure, viz., to check 
E scretionary write access to the directory which will 
pontain the file branch ertry. 


nce this chec: has been satisfactorily 


t 


pietet, ari ronm ervrists inp the directory, the Kernel call 


Bbatekeeper.Creat9o Segment is made to create the file. The 


"ce tho 
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Initial file size is zero for data files s 


Supervisor ras ro prior «*nowlelise of the size of the file 


en 





MADE stored un Tre trance entry. is explainel 
earlier, a file size of L*a35* (&% pvtes) was selected for 
Ene fixed lirectory size. 

Mean e EINE request 1s again analozons, the 
ply difference heire that irsteal of a tranch entry beine 


Made in the dirertary, a lirk entry is male, 


te 
un 


»reviously 
mentioned, the Supervisor will not allow a looo state. 
Checks will rot te made at link creatior tires; however, the 
Supervisor will atort a file search 1f ıt encounters ta21s 
er condition during tree trevsrsel. 

The RAD FILS fdir} commani recauires read access 


EN 0 roctory file. [i 45 "error condition arises dırina 


Eiscretiona"y security Gnecas. selected directory deta 
ee, Entry Name, File Sizes, etc.) is transferei to the 
Host systen via tha mail 270 X seamen t T 


Mir Tata Suffer). This selected directory data for each 


occupied hranch/lirk entry is ‘transfered durin the 
EN EE command. Tor- the 24D. FILE (size) request, 


Br LY selected directory eta fora specific data file is 
bransfered. The IC and FM processes use aporourlete Ferrel 
Erchronization primitives to assure that the information in 
the mail_bcx segment is valid. 

The last three Host reauests handled by the 
Mir Cntrl Directory procedure are related. zain, 
appropriate discretiorary access checrxs must be mace in tre 
weent directory. If Mo error condition arises, tae action 


taken is Straight foreward. Ir the case of tne zr: CE 





E uosd c tne file —*CL is transferei to the mail tox 
EL buffer ard the Ome ete Ime to the 
B Commard "andler module: in the case of the 
E e ¿CL ENTZI commands, the actior is completed ty 
MN ca tri Directory oroceáure anc tae appropriate 
Bar succ_Code returned. 


(eo ri aia Procedure, 15 resporsiele tor 


t3 


trarsferire to/from a Host a requested data ile ir 
necessary  oreconditions are met {viz., discretionary and 
"non-discretiona"y security). Ir order t^ read or store a 


TM 
á 


OST must nave The proper discretionary access to 


fb 


Sr le, 
EUM s. To checz this, the parent directory which cortalzs 
the file branch entry must be brougrt into memory. This is 
mone by the Seenen"t Handler module. If the proper access is 


rot allowed, an error code is returned ës tne 


Da 


"e Ho 


Un 


EM Command Hardler module for relay to t system. If 
the proper access is allowed, a cooy of the file is made in 
the case nf the READ FILE command, or a terporary file is 
Meeaeted in the case of the STCR? FILE command. The  pathnanme 
ard file size cf the data files to be transfered are passed 
to the TO process which will perform the actual data 
trensfer. Upon a successful transmission rf the data by the 
IO process, the "" process instructs the IO process to 
acknowledge the Hnst with a read complete. cr "store 
complete , as apuronriate. 


The Cie Cntrl- Data procedure will mare 


Merrropriate use of Kernel symckronization primitives 


CD 
e 








EN^IT, R*5D, etc.) when co»yine a data file into the data 


(D 
LD 
a 
EA 


file read buffer or setting up a temporary fil the 
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store operation. After the file transfer has Laren sla 
the IO process, the IO process returns e success code to the 
Mm process. The IO process will return to the FM process 
when one of three conditions erist: 1) either + 
store operation is successful and complete, or 2) a command 
Beckert is received (yiz., an abort command), cr 3) a 
"time-cut occurs and the IO process was not able to 
Bomplete the cammand. 

Toren EE opera 10l, Ek, Mr 
Brecedure is called te update the directory data [viz., 
meenanee the temporary file "ntry Name with the oli file 
Entry_Narel ard deletes the old file. (The tenporarv fils 
Boould te deleted by this procedure if, upcn attemytine to 
npdate the file, the ela file cannot te found.) 
Ee each directory seemert has only one 
merporary file for file uplate, some delay may De 
experierced by “ost systems if several try to store large 
files irto the same directory. This does rot appear te de a 
major problem since most users are anticipated to be 


moeratirg fror their own directory files. 


ct 
e 


err atr Update procedire 1S- also- usal 


cr 


free he tempnrary storage file in the case of a Hest abort 


command. 


C. Discretionary Security Module 
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MN Co ao ec ur1ity mocvule 1s responsible 


Mor checking Enst user discretionary access to 
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Mile ard addirz an? deletinz ^CL entries. All file *CL's are 
Moeically located in this module. This is the only other 
Beebe besides tre Directory Control module where a segment 
fault micht No orale use ef ™ tne conditior 
sstablisher must be made before any attempt to read an  *CL 
EN): a Dresser nre*urn is executed to the Jirectory Control 
module in the event of a fault. There are four procedures 
Matcn make up this madule as gepicted in figure 12. 

Ae DS Oe neta "CCeSs Uroceiure, 39 tne Name 
implies, checks for a specific user discretionary access to 
Mis peciftic file. 4 success code returns, indicating tne 
Meee, Of the cheew. This discretionary checx is only mede 
ES the specific file which is reorirel ir a 43st command, 
l.0., 2 desler chrnice was made not to maxe discretionary 
Metess cnects durire the tree traversal seerch for tre 
Meecifiec file. This maxes erolicit in one ASL who has 
mecess to a file, which cortributes to clear security 
semantics. ¿This also eliminated the cuestion of what to do 
if an intermediate directory was encountered durinz a file 


Search to which the prccess did not have read access.) 


(D 


IS Jae Che try procedure adds an 
Mee GG tO a 721165 ACI and returns a success cole to 
indicate the action taken. 's noted previously, a directory 
Ni of ACL entry elements. las Supervisor 


mely evarantees ore ACL entry element per branch entry (for 


N 





RNO D.R DUR > Nr onu 


Esc 5ec. ACL neces ce codc 
Check Access UEM Uno 
Useriq 
Pace Sec ` ACT, Disc Succ Coie 
Ee et entry O 
Userid 
mese pec. ACL SOS E oe 
Delete ACL Entry ACL Entry 
Userid 
misc sec ACL Entryv Disc Succ, Code 
bet Entry Userid 


Dee UuPseretlonarny Security Module 
Pracedure Inout/Cutput Parameters 
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Ms creator. If anotrer ACL_entry 1s required ani tne 
ACL entry vonl” is empty, an !CL_ertry element will have to 


Ore a file 


F5 


me exvlicitly freed fron a file ty the Host te 
CL can de adisi to. 
Sc ene pen lat procedure performs 


Ene straight foreward tasx cf deletina an *CL entrv from a 


ime alas Zyuree-dure7 ‘Of tris? nalula vis tna 


Msc Sec Get ACL precedure. It is used durine the irtiel 


È 


nen a file Gy the Directory "control motule to eet a: 


ra) LCL erter element, 


d. Sezment FJandler Module 


cer OCe Neruda i ale vz maauls s Vthe- Sabstractior 
tevel at which Suvervisor sezments are «noun. This module 
Mes in conjunction with Une ems grues moiule 
'Aescritei later) to either bring a segment into process 
memory íviv.. Meke Y»^wr, Swap Ir) or te terminate a sezmert 
Eiz., Swan Out, Terminate). This module is resvonasible for 
maintaining the FM KXST íknnwn segment table--figure 13) data 
base. The data tase elements of the YM X551 are tne patnname 
Of a segment rnnwn to the process, the segment number 
(Seg $) of the terminal file in this pathname, Troie (i.e., 


read or write), ard the use bit ecessary fer a L.J removal 


algoriten fapvroximation). To prevent the situation where a 


un 
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segrent has been Jelete? tv ore process tut is 
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PROCEDURE 


Bes 4nd. 


pez Und 





Make 4ddressable 


Make Uraddressable 


Pathrame 





Ru OUELLET 
Pathname seg 4 

Seg Suse Code 
Pathname Sez Succ Code 


Tigure 14. Segment Zandler Module 
Proredure Input/Output Perameters 
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indicated as ‘in memory by arother process, each now Host 
Eemmand will initiate a Kernel call, Gatexzeener.Swao In 
Sez 4, Base $dir), to confirm the existence of a seenert. [| 
Zernel return of "segmert not fourd” will indicate that the 
Segment nas been deleted. Tre “SS must then clear its data 
structures Ds invali3 data and traverse the virtual 


mrerarchvy from the root directory to insure that the sesmert 


ms truely gone ani that it has not been renamelt ty another 


mecess ë 1.8., t^ cover the umr"lixely situation where a 


EC 


Na thname nas teen deleted and then re-created with the sane 


filen This would asscciate differert sezment rumbers 


fb 
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with the same zathname, 


a, re 14 is a list af the o dures of this 


13 
2 


X 
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Beedle elone with their inout/output parameters. This module 
receives a file segment pathname and returns when it has 
E" brougpt into process memory or an error condition 
Meche oessS l Dle epror comudition that “misht re returned 
Brom this rodule is ‘file rot fouri . This module has two 
tasxs, ard therefore two procedures. To mare a segment 
addressable by the Fost process (viz., brins it into process 
merory) or tn make a segmert unaddressable by a Fost process 
‘yiz., to remove the sezment from orocess memory). The 


Procedures which handle these bases ar 
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m= Hnd Make Addressable {i.e., bring a segment ints process 
ke Unaddressatle (i.e., remove a 
Segment from process memory) orocedures. Jote that to maze 


e sezment addressable also reo vires makirs tne sezment 











'zrowr and that makirnre a segment unaldressable requires 
Mermiratirna the sesmert.) Goth tasks are arcomplisker by 
approrriate use of Kernel primitives ani accompanied by 
calls te the Memary_ Handler module to Swap I^ or Swap Out a 
segment. 

This module is alse responsible for segment 
manazemert. Sezmert manazemert is necessary because each “MU 
allows the addressing nf cr!y 84 sements. vith one MMU in 
the initial "SS implemertation and severel sezmen*ts taken ty 
the Supervisrr ar? ferne] sesrents, the number availatle to 
the Supervisor processes will be somewhat less 
(MAX_KNOWN_SEF) than 64. This number must be tanased in a 
Brnanic manner witout intervering with orocess evecution. 

The Ser Eni Make Addressable procelure is the 
more involved of the two module vrocedures. If a request to 
maxe a segment known is rereiven, the FM AS5T is checkei to 
Est 1s alrsadr xnown. If it is, the LIRU bit is set anc 
me | Memory Hardler module is called to assure that the 
segment is in orncess nenary. If it is not alreedy znown to 
fre pracess, it must te made known dv the Kernel call, 
Gatexeeper.Make Known (Par seg +, entry_#, mode). But this 


mem Only be done if process segment limit is not exceeded. 


If the addition of a sezment will cause an overflow, a 


ıD 


EE must be removed hy the See Hr4 Fade Jnadaressandl 
orocedure. Once this is done, the Nesirel' seement can be 
Bade Known, tbe FM “ST updated, an? the Memory Eandler 


ai E called to bring? 1t into process memory. 
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ine ose End Make Unaddressetlo procedure 1 


Straight forewerd,., This procedure ray be called to either 


Belete a specific sezment or to delete tne LA segment. If 


b+, 
d 


called to remove a specitic segment, actior is taxen to 


T 


remove tne seement {described telow). If callei to remove 
the LEU segment, a LPU removal alzorithn 'approximation) is 
used to determine whick sessment will te remover: nen tnis 


q 


ELM 5c-: done, the —Meno*y Tandler  mocule is called to 


Swap Cut the segment from process memory. A returned success 
Bere indicates that the serment has been remove] by tre 


“ernel call Satekeever.Swen_ Cut (Ses +), A call is then made 
Lo termirate tre selected sezment. The Xfernel call, 


Gatekeeper.Terrinate (Par Seg +, 2ntry_X*), will cause th 


(D 


sezment to be deleted from the Xernel EST. 3enmovi»z th 


(D 


pute D2stossarme Arom tke PM KSI will complete tne action 


taken by this oracelure, 
ae, Memory Han?àler Module 


This module overates in a slave mode to the 
Besment Fandler module and consist of two procedures. These 
srocedures are listed in fizure 15 along with their 
input/output parameters. The job of this module is to 
dydamicallv manage a fixed size linear virtual memory. It 
does this ty swapping inr and ovt of process menory sesments 
EN require. 

ther the Mem End Swap In procedure is calles, 


the FM ST, fiezure 1^, (active segment table) is checxeld to 








BROCTDURT INPUT OUTPUT 
Mem End Swap I^ seg + Mem_Succ Code 
seg Size 
Mem End Swap Out seg 2 Hem suce Code 
Figure 15. Memory Handler Module 


Procedure Input/Cutput Paremeters 





A bech 





Figure 17, 


Mem Map 











Bee if it is already in merory. If itf is, its LaU bit is set 


,ekeeper.Swao In ‘Sez #, Dass 4adr) is called to 


Ou 
13 
tx 
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irsure that the sement has rot been deleted ty another 
process since last use. If the segmert is rot ir memory, tre 
MENA date structure, Zisure 17, is checked to firi room 
for a sezment of t^e reauired size. Arzuenerts car be made 


for toth e first-fit an? test-fit memory manazement scheme 


2 


rel 


[Straw!. 4 first-fit scheme is chosen for tne FSS due to the 


U 


Beier implerenat1o7 ani the reduced mem^ory fraensntation. 
Man cannot te found, "em Tnd Swap out us Cai bec 
EE enoneh .rocm erist for the sement to be 


prouvent into bDrocess memory. 7 Xernel call, 


TE 


Gatexeever.Swapir (See #, Bese Adir), is used tc move the 


segment into vrocess memory wher roon exists. 


ven rail Swap Cut ma; either be called to remove 


IT 


a stecific se>smert or to remove the L’Ü sesmert from process 
memory. 1% tre reanest is to remove a specific sesment, tie 


task is straisht forevard: a call is made to the fernel 


if 


> 


priritire  Gate*eeper.Swap Cut (Seg 8). I? the reauest is t 


, 


e 


/ 
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remove a specific sezmert. 3 LRU aleorithm approximation) 


is used Lord 


(D 


termire which segrent tn remove, unen this is 
Bone the Kernel call is made and the Memory Zandler data 
beses are npdate? to reflect the segment removal. 

+ preliminary analysis of memory requirements 
Indicates thet process lirear virtual merory will need to ve 


Mea Stato bytes. [he driving factor in tris calculation 


cr 
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is the fact that tw^ lata segments ipossibly SX bytes each) 
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mey be required 12 process memory durina tre copvine of a 
lata file into the data file buffer. A 24% tyte memory 
would allow for the worst case, viz.. one DÄ Die sezsmert 
vositicned ın the middle of linear memory; room would still 


exist for the two 3X byte sezments. 


Se Iuput/Outout Process 





The IO vrocess is tre second of the two Do roresses 
which act on behalf nf a Hest system te provide a renquested 


file maragemen* service, Tre TO process acts in a slave mode 


Bee the EN process; Ít receives its commands fren tne r^ 
process SO Pe mall Nox Sea Te1 te descr Ded in 


MES Dro wit^ the "M vrocess. 


Tne 10 process is responsible, as the name implies, 


(U 


Mer all input and nautuut between the Supervisor sni the Zosi 


$2? 


Mmstems. Tre IO process is compose? of five modules as 
depicted in fienre 12 (alonz with Kernel calls). Two of 
EBhese rodules, Segment Tandler and Memory Handler, are the 
same mrdnles as Aescriter in the FY process and will not be 
E-cusseld further. Their task is to t~Erinz into the virtual 
memory cf the IC process the data segments into and fror 
weicn “ost files are stored or read. Note that since 
discretionary security chec's aro done ir the FM process, 
the IO process does not have to reveat these checns. 

INE a tian 0 tS Pact Ealar maule from 
EC IC Command Zeng ler  mcdule is possible to send Host 


“acknowledgements. I? a file is to be reed or stored, the 
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Figure 18, IO Process Module 





NEE Ee keet to perform tre read or 
More operation. 

The IO process is also responsible for FSS-Hos* 
protocol. Data is transfered between Yost and "Sa via fixed 
size packets". There are three formats for these packets: 
1) a synchronization vacxet format, 2) a commanl pac«et 
format ard, Zi a data packet format. Firur^ 198 gives the 
merical construction of tne data and command vacxets, Tas 
penchrorization packe* is Lert Pir Slater siesien qm 
E ection witn the Jesier for a Yost interface. The packet 
size of 521 bytes for data ari command packets was chosen to 
maxinize lata transfer zelcelensy cel). tie oc pe nse or 
Becredsine the commen?4 vaczet size. Becausr 512 bytes is tae 
Size of tne smallest Suvervisor sezment, th1s was chosen as 


+ 1 


Ehe unit ^ 


+4 


fata transfe 


3 


Protocol must exist that insures reliable 


j= 


hd 


frarsmission and receptior cf packets by both the sender ar 
Beeciver in tne FSo-Host packet exchanze. Tne simplest 
En oco) that will handle packet trarsmission is to transmit 
tackets one at atime and wait for packet acknowledzemert 
before sendin> the next packet. The followire diagran 


illustrates this simple vrotocol. 


en ee eee ee ee ees ee eee ee emm a ee ee eee ees ee eee ee ee men ee ee ee ee ee ee ee eee eee e m 


-—A — s emm "UD a -=2 ==) “E I 2 es ee emm ee AMD mmm mmm — o ee emm emm mmm emm A mm emm ee i ee ee eee 
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HATA PACKET 


Packet Type Tyte 
Packet Number Lword 
Da ta eS 
Mee sum Lword 


COMMAND PACKET 


Packet Type Byte 
Packet Number Lword 
Vost rma "yte 
Pathname iz Byte 
File Name LS ote 
Linx 128 Pyte 
Access Level 3yte 
File Type Byte 

ACL "ntry ote 
Userid 3yte 
Cheex Sum Lword 
Padding 251 Fyte 


Fisura 19, Packet Construction 


as 





pena ic sesion 1s extremely inecficient, 
especially in the transmission cf large data files: it does 
not allow the sender to serd vackets before ar 


I 


acxnowleigement is received nor does it allow the receiver 
to accept more that one peaczet at a time {i.e.. read ahead 
and write tehin?). A multi-packet orotocol is neressary to 


taxe advartace of a read ahead and write behint scheme. 


LA 


Ty specifine a multi-pvaczet orotocol, sane means 9 
distinguishire irdividual packets must be established. This 
is done by zivinz gach pacxet a seouence number carried in 
the pacxet header. The receiver returns ackrıwladgenmerts 


indicating the sequence number of the packet(s) received and 


accepted  ii.e., no errors detected). The number of nacxets 
that may be transmitted before ar acxnowled=ement is 
received is called the packet window width . Packet 


transmission is controlled by ar alzorithm which uses packet 


seauence numbers and tae wine Ow width, At Systen 
eritialization time and anytime a commard  vacxet is 


received, the seauence number sf the FSS is reset to zero. 


t SEH 
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Inus the first seausence number expected by the ¥55 upon 
system initiation ‘and afterwards upon command comoletion) 
ES zero. 


Tor an exnlanation of how the packet window worxs, 


let Nft) dencte the trarsmitted sequence numter 0% the 


(D 


current vacket and let Nít-1) denote the next exoected 


‘La 
ct 


Sequence number. The vindow width is denoted by W. the 


Mart of communication, e.Z., wren a Tost sands a command to 


(D 
d» 





the FSS, the Fost is allowed to transmit packets bearings 
searence numbers in the ranze AN( tiv, The receiver expects 
me paczets to errive ir cnrrect sequential order. As they 
arrive, packets are checked for correctness ‘at both the 
hardware (USART) and software level); an incorrect Jacket is 
Aiscarded and may te considered lost. let tne secuence 


number of a particular correctly receive? packet be S. If 


S=N(t-1) (1.e., the expected pacxet), then the racket is 
received in the correct secuerce and it should te acceptes 


x 


Mer ce ver and ar acinowlen=ement sent with toe prover 


Benz Ie 


CH 


seonence number (in this cese, S) to the se 
S«N(t-1), then the packet is a rerstition 0° a packet 
Eviovssly received by the receiver, the second transmission 
Bey be ¿due to either a lost or delayei ackrowledgement. The 
receiver should generate anotner acknowleigement en3 send it 
to the sender ard atherwise ignore the Jacket. If SoN(t-1), 
hen tha pecket is ahra? of seauence, inlicatinz thet an 
v pacret has hear Insts such a packet should be lesnored 


and an error ackxnowledeemeant sent so the packet can te 


me arrival of aczrowledzements at the sender also 
needs to^ be discussed. AS each acknowledpvenert arrives, tne 
sender can delete the copy it has retained of tre 
Eenrresunndinz packet. As packets are acknowleiged, fresa 
Barzets car be transmitted, i.e., wren packet Z has been 


acxnowleized WY can be sent. Acknowledzenents can zet 
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los* in *rarsmission as well as packets. If a received 
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acknowledzement does not refer to the earliest trensmitted 
bEcket aweltin"z a^oknowlejdesment, the", in this protocol, the 
Senrder may safely delete all pacxets up to and includine 
prat ~efererced by the acanewledzemert. àigelnst each copy of 
a transmitted packet will te noted a time d(i.e., tne 
time-out} by which time the packet must be ecx"rwledged. 
Failing such an acknowledgement, the vacx2t must te 
metraynsmitted with its oriainal sequence number, 2 packet 
will only te received in sequential order, so it will be 
E essary to retransmit not only the earliest unac"nonwledzed 
Bacxet, but also all later pecxets. The following flzure 
Miustrates this protocel. The aueues should be corsidered 


Mm Circular with automatic wras-eround. 





In this fizure, the sender is node A and the 
receiver ¡is nole B. Node A has sent out packets 3,4, and 5, 
the last of which is still in transit te 3. Node B has 
received all packets uo to and including 4. It nes just 
acrnowledeed & ani 4 and is ready to accept 5,6, and 7 when 
they arrive in order. When node A ré€c@ives acınnawleisenment 


mer A and 4. it will te able to transmit successfully 


Bic Orenacat S Jrsures  tket pacxets dre nandled in 
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sequential order which will insure that tne data 15 receivei 
ERU srpored correctiv. It also assures gcsitive control over 
the Beceıot and" tradsmiss1ior of Sacxets: e necessery 
reanirerent ta prevert buffer overflow ani loss cf data. 

The Yernel controls all the hardware assets, as 
evplalned in Chapter 1, Kerrel cells are tr»erefore recessary 
te transfer packets between the FSS and the Host systems. 


The format of these Yernel calls are: 


Gatezeener.Setuio (Ruff Adir, Mode, Status) 
Fetereesper.Send_Pacxet ‘Offset, Status) 
Fatekeever.Store Packet (Cffset, Status) 


Gatekeeper.Charge Byte Courter ( of Bytes, Status) 


Zack hardware port is virtualized into ar input and 
e port. Hach virtual port has associated with it a 
gnit control block (UC3) at the Kernel level. The elements 
9f these UCt’s are: 

Byte Counter: This element is used to xeed traca of 
the number of bytes that have deen transmitted or received. 
This courter is modulo “packet size so that once packets 
are synchronized, they shoarld remain so. It car te altered 
by the Change Byte Counter call in order to get the 758 end 
Fost bací into packet synchronization. 

ess ss the startids address ir the 
input/out buffer where veckets will be plered (ircommirz) or 
Maken from (outeoizne). It is initialized bz the Setu Kernel 


call. 
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ene TE o e nea ae eat «in 
packets) of the input/output buffer. This allows tre Xernel 
to perform automatic wrap around at tne end o? t^e buffer. 

Dn EE 15 used by the input port 
UC: RS EE oven low. Each i1nvocetionr of 
Moree acka vill T atvance the window ard allow” anotter 
pacxet to be stored into the IC tuffer. If a Yost system 
violates protocol by sendins too nan/ packets, the Kernel 
will dump them to a tit bucket . This element 1s used ty 
Ane output port to control tre nunber 5f packets that the 
E55 is able to send t5» a Host before recelvinz an 


acknowledgement. 11lthoveh this parameter (viz., window 


+ 


width) may te different for the various Host systems, it 


t 


Should not chansa often and car therefore be sət at system 


Mmitliailzation. 


Carve paczet> jaa 


(D 


Tor a stare operatior (FSS tor 
setuo call is used to set tne innut UCS tase address to tne 
Miitial stcraze location in the IO buffer. 4 Setup call is 
also reauired to set the outout UCB with the base address in 
the IO buffer from wrich ackrowledanents will be sent. I 
shonld be noted here that the IC buffer in the IC process is 
Be location that packets are checked for errors and 
"enpacketei" or “devacketed’. It is just a intermdiate stoo 
For data and neither the final destination nor origin of 
data. 

Subsequent Kerrel calls to Store_racket will return 


the locetion of the next packet in the ID buffer to te 
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processed. The Kernel will store ahead ints the 15 buffer 
durire “he store overation but will not over write the 
Ue rTer. That is, each call to the Kernel will indicate that 
a new packet location is open. Tbe IO process will control 
which packets ‘and how many) are sent to the FSS by prcper 
use of acknowledrements ‘for both correct and incorrect 
vacxets). 

[Two Setup calls are also neressary for a serd 
j»eration. They again set the virtual input/output sorts for 
the transfer of packets from tha FSS to a Jost. Subseauent 
Sais to Send Packet indicate tnat a Pacxet is ready to be 
fransmitted. The IO process knows when it can discard a 
packet by the acknowledements it receives from the Fost 
syster. 

Mean es ice counter Drim Ceive 15 Used by ine 
EE TD Srocedure te shift a UCB. byte counter in 
order to brine packet transmission back LAO 
syrchrenizatinn. (Synchronization may be reanire? during a 
temporary communication irterruption or system start up.) 

The following is a descriptior of the three "new 


modules wnich mare un the 10 process. 
a. Input/Output Command Handler Medule 


At the too of the IO process module hierarchy is 
the [0 Commard Handler module ísee Appendix C, p. 117). This 
module is responsible Por the interface with tne FM orocess. 


BE vrunication between t^e processes is via the mail box 


(O 
CO 





shared segment ard synchronization 15 through the use of an 
Aen Count art the Xornel primitives TICKET, “DV4NCE and 
WAIT. The vrocedures of this module along with their 
input/output parameters are liste? ir fipure 27. 

oca ma procedure, Wlike the TM Cna- tnd 
procedure a case statemert, routes FM process instructiors 
EE E Command -andler procedure for action. 

The orocedure involved when the Fost command is 
E Nl or STOR LL? reauest is the [0 Cyd “ne Ac« 
procedure. This procedure is able Da invoke tne 
Packet "Handler nodule directly for perforning directed (by 
the FM process) Eost acknowledgement ard/or data transfer 
from the shared mail tox seznert. 

Bue IO Cad Rat osr] anne IC imd Hnà1 Store 


procedures are relatively straizrt forwerd. They provide the 
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IC-FM process irterface required fer a saoL FILE OT 
BD pS FILE Host request. Pota procedures call tke 


File Handler maldule to perfarm the actual file manipulaticr. 


b. File tandler Module 


The File Eandler module is required for file 
manipulation in the TO process an? is the level in the IC 
process a+ which files are krowr. The procedures which maze 
wo this module alone with their inout/outout parameters ere 
listed in fignre 21. Ae mertioned ahove, there are only two 
Host reauests that reouire the IO process to bring deta 


files into process memory. These are AO E TU s and 


LO 
a 





PROCEDUR? INPUT CC haw! 


TO_Cmd_Hnd Mail 3ox.Mse.Inst Cutput returned 

IC Cmd jM Du ncc Ode SEnDmTISsbOTOdInate 
Eng ck net wiles: 

O Cmd Kari ROTT MSA. athans 

Ero send As e o ze 

me Cra Mat See Nee on tone 


Hnd Store Wall 20x Mee File Size 


Beurer 27. tO Command Eardler module 
Procedure Invut/Output parameters 


E-OCSDU.E KAES EE 

Dore ind Moe andare oO 
send mile SELLO OZ 

Erle End. O Sana me Eer 


Egbert", Mail _30x.Msf.Pile size 


Eller 
P"^"ce2ure Input/Output Parameters 


E 





serons KIL". Nore thas ace tile size is sassen from the F* 


wracess, and *he *he access to the data files involved is 


iD 


eontrolied in the FM process, data file sezmerts can be 
breught directly inte IO process memory and any reauirement 
for the IO process to access directory files (otner than 
tree traversal) is eliminated. Because the terminal nodes in 
tre tree traversal are controlled by the FM process, the 
vaths to these termina! redes will not te alterable until 
control is released hy the "M process. 

The vile Handler "module GO sq s E two 
procedures, File [nd Send Tile (for Fost command READ FILE) 
Eeer Hrd Store File {fer Host command BIO PILE). Both 
procedures operate in a similar manner. Joon receiving a 
pathname and file size from the FM process, thes? procedures 
use the Sezment “Taniler vrocedures to bring tne necessary 
fata file (seagmentís)) into process memorv. 4 call is ther 
made to the Packet Handler module to transfer data from/to 
Specified seements. 

The order of events in the reading and storine 
nf data files follows the follawing sequences. For a 
I operation, the order of actions taxen by the 
Dupervisor are: 

1) Niscretionary ani non-discretionary checks 
are made in the FM vroacess. 


2) A copy is made of the data file into a 
2) Tre pathname cf the data file to be read 
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(remenber, directory data is read by the YM process) is 
passed to the IO vrocess alorg with tre file size. Tre TIO 
process ?an deterrire the file size from the file directory 
but ty passing file size to the IO process, this stev is 
elimirated far the IO process. 

4) The read takes place in the IO process. 

51 The TO process returns to the FM process with 
a success code of “read complete’ or an anvroprlate error 
cade. The only reason for a read oaperatior to fail in the IO 
process 18 the receiot of an atort command from the Host or 


a time out which would occur if the Eost stopped sending 


for some unexplained reason. 


oF 
O 


6) Tre FM process irstructs the IO process 
acknowledge the read complete" or to send the appropriate 


error code. The data file read buffer is tren free for 


If tka operation is a SIOZZE_FILE operation the 
Wl lowing steps ares taken by tne Supervisor: 

1) Discretinrary and non-discretionary security 
checks are made by the TM process. 

2) A temporary file is create? by the Supervisor 
large enough to store the file in. 'poropriate use of the 
Synchronization primitives prevents this tev-porary file from 
being vsed by mor? than one process at a time. 

3) The pathname of the temporary file is sent to 
the IO process and tre IO process stores the file into the 


temporary file. 





4) The IO process returns a success code to the 
process and tre "M process updates the directory to 
reflect the new file (viz., Entry Name cf temporary file is 
changed to the ol8 file Tntry Name). The ol? file is then 
deleted' by the YM process. 

5) The FM process tren instructs the IO process 
to acknowledge the "store comvlete . There is no reason a 
store operation should fail other than an explicit abort 


recuest by the Enst system or harlware failure. 
c. Pacret Handler Modula 


The  Pactret Handler module danes thie actual 
trarsfer of data between the FSS anā the Host system and is 
the TO process level at which the concept of packet is 
known. Tne procedures of this module alone with their 
inpnt /autpnt parameters are listed in fisure 22. The tasks 
trat this module must perform are: 1) synchronization of 
packets, 21 errar detection, Zy packet acknowledgement, and 
4) transfer of data to/from Supervisor segments. Tigure 23 
is a firite state diaeram of packet transfer. 

Tne synchronization task is performed on the 
evstem IPL and wherever packet synchrrrization is lost 
thereafter. "rror detection and request for retransmission 
moor errcr nAetectior ere complire-tory furctiors which are 
performed on every packet received from a Yost. 

Packet transfer Turinas synehnronlzatinr 


proredures is in zroups of three. This allows the 
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Fizure 25. Finite State Niazram of Packet Transfer 





synchronization procedure tr beein synchronization in the 
middle of the first packet and still have two vacxets to 
eomtirm syichronization when it is achieved. 

Packet transfer of command packets occurs one at 
a time. The reason for this is that each command vacxet must 
be acted upon ina synchronous manner. Data packet read 
ahead and write behind is permitted to increase the transfer 
rate of data packets. The number of pacxets that are allowed 
to be sent or stored depends on the IC buffer size. The 
Bucket Handler module is also Res Ons bake Por data 
“enpacketing and “depacketing for the FSS. 

ives ¢G 2tCe oVnraprocecure is use? to symch?onize 
packet transmission. It is explicitly called at IPL and 


wherever the packet synchronization is lost by the Host 


tx} 


system. It is invoked implicitly by the FSS whenever a 
packet is not able to be decoded ‘viz., tre packet tyve ani 
packet check-sum are incorrect). 

The Pe End Ack DECecediire 5s) Usen ito) Send 
acrnowledeements to the “ost systems. This proceture will 
always be called from the [0 Comman? Handler medule which 
will require the Packet Eandler module to either acknowledge 
the Host with a specific messaze or to send some data 
located in a mail tox seement buffer to the Host. 

Tre Pr Hnd Senc procedure is used to transfer 
lata seements from the FSS to a Host system. This procedure 


is called from the File Handler module which makes sure that 


the correct data segment is in process memory for the 
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trarsfer. The segment number alone with the number of 


that are reanired to 


puocedure from the rile 


transfers the seement 
have been transmitted. 


Hetion is complete. 


Ine 2% Mud 


completely aralcenus to 


be transfered are passed to 
Fandler module. This procedure 
until tke specified number of 


A success code is returned 


bits 
this 
then 
aus 


wnen 


Store procedure worxs in a manner 
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Pec etc Ons 
Meee ia O° RSP thie 


This desizn applies state nf the art software and 
hardware to solve the secure multilevel computer problem in 
a file stnorege system. It presents an ineypensive but highly 


vowerful design for a system based on a micro-computer tut 


+ 


Mes ricerea to a mierec=computer exviroiment, i.9., there 
me ro restictior on tne type Gr Post Computer syste 
serviced bv the 355. Implementation of this desizn on 28292 
hardware along with the analysis of FSS design parameters 
(Appendix 4) are tasıs left to be tore. 

There are two major classes of applications Vor the FSS. 
Che application uses the PSE as a system file system (e.c., 
mer (distributed micros!t. This imulies trat the total system 
is multilerel secure with orly one secure cemporent (viz., 
the Kernel). It must te noted, however, that in this 


meriteyreation, the distributed Hosts (i.e., the micros) have 


ao autcnomous life. 


be} 
tA 
Cn 


The other class of applications, involves using the 
as one element of a net of autonomous Fost systems. In this 
Er curatio", the 55 prevides facilities for controlled 
data sharing and communication. 

Meo rvious direct aoplicetlon of the Fos, is for 


Shipboard use fe.e@., for the SN4P-II system [Smith]) or for 


+ 


use at other installations where deta would ne more 


eB ficiently used if controlled data Sharinz wers allowed. 
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Mo des io condi. al the "335 vvhich allowed tre 
Kernel to te kept small ¡(and therefore more easily 
verifiable’, was the elirinatior of the discretionary 
security from the Kernel domain to the Suoervisor domain. 
The implication of this choice is that each Host system is 
Epon cle for its own discretionery security; not an 
unreasonable recnest or desian choice. 

The next major tasx to te accomolished in this project 
is FSS impdlerer*atinn. Tais will rot be a trival task, tut 
it is Zelt that the hesizns presented in this thesis and tae 


companion work done by Colenan provide a solid basis. 


ERO OEOLLOW ON TORE 


This desig" is a specific implerentatirn of one member 
of a family of  opneratire systems based on the Security 
kerrel co”cept discussed tv O’Correll and oso 


lu crpsirl. There are obvious areas that thiis desizn could 


bL 


be erpanted ard generalized: areas that snoult te evamired 
after ea successfvl first implementation. Some of? these areas 


Bre. 


‘operator terminal interface funcions 
exparded d^st commands 


mar of different user nares in different Hosts tə a 
eornnon user in the SS 


data ormpactinn onto secondary storage 
multilevel Tosts 


Mas cretianary serurity 16to the “erne! domain 
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EEUU o or ce 
These ere just a few of the many possible areas For 
evpansion that coul? te erplered. Ore area not mentioned in 
the list tut an area that should be looxed at Aurins the 
art tal imolemer*ation is for a way to prevent the 
Supervisor from suffering a segment fault . Tne present 


arransemsn*, with a fault hanitler, is not efficient or 


= 


elegant . Since the deletior of a sesmert is controlled by 


J 


pie Pelete Segrert Xernel vriritive, a methoi of leavire ar 
‘orphan copy in process memory would eliminate the ‘fault 
cenditian. iha orly operation that would te defined on this 
‘orphan would be a Delete Segment command vy a rrocess to 
remove it from process memnry. After it nad teen deleted by 
31l processes, tke copy could te destroyed. A variation of 
Ecc scheme would. upon a Xerrel Swap In call, Swap into 
process memory a ver-process copy of the desired segment. 


swap Cut weuld be used to free process memory. 
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M url Ec SU boo AND EXRO LL 


CODE 


Rebeet ed 
IT H 

rea ted 
Eboreccemplete 

stet Conpiets 

A Reon Complete 
wL Entry Added 
NEE Deleted 
End Aborted 

ma racket Lrpected 
Illezal Cmd 
milezal mi Format 


File Nat Your? 
kate pak Tile 


mater Aecess Want Allowed 
Fead ACC ess Not Allowed 


Time Out 

Bio 5ync 
Packet_Ack 
E-cxet “rror 


LOCATION 


ES 


S 


POD om 


Module 


pO TT Control 
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FM COMMAND HaNDLER MODULT 


CONSTANT 
FALSE := Y 
TRUE := 1 
NULL += 2 
EXTERNAL 
DUETONTRL DIRECTORY PROCEDUFE 'MSG 31T: 
8 p USERID Ra 
PATHNAME SELING 
Tecum T EA Suo 
DORSET OVE OE YS 
LINK STRING 
ACL ENTRY OO Er) 
RaT NS DIR SUOR COD? TIE) 
Beoanancest ends That require parent directory: 
eet Cnc Le). 
eate file, 
Greate link, 
read acl, 
add acl eniry, 
delete acl entry! 
PR T ONIRL DATA PTDCEDUFF (MSG PITE 
USERID Prpa 
PATHNAME STRING) 
FILE SIZE LWOED) 
RETURNS {DIR SUFC_CODF PIT 
DIR PATENAME ST3ING) 
BuorEenost omds tha? access data file: 
bead file, 
store file! 
Pie NTRG UPMATS PROCEDURE (MSG Ee 
USO Er 
PATHNAME STRING) 
RETURNS (DI® SUCC CODE BYTE) 


Ito update directory after io process 
acts on host cmis: read file, store file, 
abort! 





GLOBAL !module entry point! 


FM CMD END P 


EOCEDUZF case statement on Host cmis: 


ENTRY 

DO 
MATL POX.MSG.INST := READ CMD 
MAIL 30X.MSG.PATANAME := NULL 
MAIL BOX.MSG.FIL? SIZE := NULL 
MAIL POX.MSG.SUCS CORR := NULL 


fete CATS KES 
GSTERETFTPTTR 
GATPYPTDUR 


IF MAIL. 
THEN 


IP ost ^Mn 
DELET* PILE THEN zV CMP ENI DEL?TTZ FILE 


oho 
CASE 
CAST 
CAST 
CESE 
DAS 
CASE 
CASE 
CASF 
ES 
MAIL 


CES 
CR 


E MAIL BOX. C) 
‚ANDTANCT (MATL BOX, S) 
Away (MATL POX, ©, (t+2)) 
POX MSG. INST = CMD PK READY 


TF FILE TEEN FM CMD_END CREATE FILE 
TT LINE TUPN TM OM) END CREATE _LINK 


< DD EE eg 


STOR 
ATAN 


APT 


DFLETF SCL_PNTEY TEEN SM_CMD_END_D 
ATORT Pow TM CMN ZND AFORT 


S 


v FILE THEN SR CMD HND STOP? SI 
CL TIFN TM CMD AND RAD CL 
ACL ENTRY TEZN FM CMT HND ADE ACL 

zb 


-= — — 


IS INS NOR POSI 


MS TENSO YY e RER 
IDO. SID SIZ" <= NULL 
EE EE enc MCcODS (ISLESYS OMT) 


ct 


E UN 


EE TOU O C) 


KEEPWPLATVANCE (MAIL 3OX, C) 
ARE, WEIT (MIL 30X, C, (t=2)) 


MAIL POKES TAST ee $0X HOST 
REENEN, se NULT 


WATE 36% T L 


LR i= NULL 


MAIL BOX.MSG.SUCC_CODF := BYROZ_ CODE (CM)_PX_EXPZCTED) 
ee ce UK TPR TECKET !MATL E 
| GATZEESPZR.ADVANCE (MAIL BOX, C) 


GATIXERPER 


ta] 


I 
OL 


SIT (MTL BOX, C, (t=2)) 





INTERNAL 


Moo = FYT® 
Beco AND Tetas FIL PROCEDURE 
ENTRY 
MSS re DFLFTT FILF 
DEN TEL IBPISTERCHY (“Sc 
USFPID 
PATINAMT 


NULL !file type! 
EIE faccess level! 
NULL flink! 
NULL) lacl_entry! 
IMS tiat qo CT fete codel 
o AA TRUT 
THEN 
MNILOBOX.MSG.INST := £CX_ HOST 
MAIL POX.MSa2.P^TUNAMT :- NULL 
MAIL BCX.MSG.FILF SIZE :- NULL 
IESO EE CODE -= FILE DEIL? 
t :- GATTK*"PTR.TICETT (MAIL BOX, C 
GATEKEEPEP.ADVANC* (MAIL 3CX, C) 
GATEKEEPER AWAIT (MAIL BOX, C, (t+2)) 
TLSE 
CATED. MSC. INST <= ACK HOST 
MAIL BCX.MSG.PATHNAME := NULL 
MAIL ROX.MSG.TILT_SIZ" NULL 
RT ` e EE 
REECH write cess to directory 
not permitted! 


TED 
) 


ee »® 
S Hg 


Pe eGN Emam PE. TICKET "MAIL BOX, C) 

GATEKFEPED HUT ANDY (MSIL BOX, C) 

DENM ePER OU kIT (MATL POX, 5, (t+2)) 
FI B 


END FM CMD END DEFLFTF FILE 


BC 





FM CMD _FND CEEATE FILE PPOCEDUPE 


?NTRY 
MSG :- CREATE FILE 
DIR_CNTRL_ DIRECTORY (MSG 


USTRID 
PATHNAME 
TILE TYPE 
ACCTSS LTVTL 


NULL 
NULL 
freturns dir suce code! 
EEDI SUCC COLTE = TRUE 
THEN 


\ 


! 


link! 
Sacrsentry) 


ZMNESFOR.MS(C.INST.:- 1*5X UOST 


MAIL 30X.MSG.PATENAME 
MAIL BOX.MST.FILE_SIZE 
MATL POX.MSG.SUC^ ^0D7 


NULL 


"e NULT 


t := GATEKSEPE2.TICKET (MAIL 3CX, C) 
GATEXTEPEP ADVANCE (MATL BOX, C) 


SATE RMapwR YATT (MATT BOX, ©, (t+2)) 


MAIL IBA MS INST $2 ACK FOSI 


MATL T?OX.MSG.PATUNAMF 
MAIL BCX.MSG.FIL® SIZE 
MAIL BOX.MS%.SUCC_CODF 


Mairectory 20t found: write access 


— 
— 


NULL 
NULL 
ERROR CODE 


ret permitted; directory full! 


t 
GA 
G 
FI 
TID FM Con EN? CrTAT7? FILT 


AKEn PERN TICKET (MAIL 30X. C) 
KPTDPR,anyanrt (MATL FOX, ©) 


d 


(rg 
ATEKEEPER.AWAIT (MAIL _ BCX, C, (t+2)) 
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AO E 
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Gl DOY 





MM CR TATE LIN? 2ROCEDURE 
ENTRY 
MSG re CEEATE LINX 
DIR CNTRI _DIRFCTORY (MSA 
USERID 
PATTNAMEF 
NULL !file type! 
NULL laccess level! 
LINX 
NU Tacl entry! 
ASUS dir suce coce! 
PESDTEZSUCE CODE = TEUF 
TE YN 
Povo BOkKsMOGs.INST t= ACE HOST 
MATT BOX .MS>.PATENIME := NULL 
EH, äre NULL 
EE ER 
TT EE TREE, BOX, €) 
EE EREM KEE 0 
GATEXETPER.AWAIT (MAIL BOX, C “t+2)) 
ELSE 
RELI 55K 3051 
MATLOBOX.MSG.PAINHNAME :- NULL 
SAO. LE SIZE <= ANUEL 
T COD* += "EROS COST (DIR SUCCO CODE) 
MINO Aud) write access to directory 
not permitted, directory full! 
Ee EE EE 6) 
GATERESPEXR.ADVANCF (MAIL_SCX, C) 
GATEKEFPER.AWAIT (MAIL 30%, C, (t+2)) 
FI 
END EM CMD ANT CREATE LINE 
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FM_CMD_3EAD_FILE 280C0EDURE 
ANTY 
PTA E PATA 
THEN . 
MSG :- READ FILE 
DENT Ro BITS MSS 
USWA ID 
PATEN AMY 
NULL) file size! 
mmeturisdir suce cole tte dir file size! 
ebe BE Beete = TFUE 
mp YM | 
hee REM FILA 
MAIL BOX.MSG.PETHNAME := DIS_PATHNSME 
EE DE E EE EI EC RE 
MAIL BOX.MSG.SUCC COD* :- NULL 
t := GATEVEFPEP.TICXEYT (MSIL BOK, C) 
GATFXKFROTR,ANVANCT (MATT BOX, C 
GATEKESPER.AWAIT (MAIL 30X, C, ; 
PE Shri S0: MSG SUCC COD: = Tru 
TEFN 
MSG re UPTATE_ READ 
DIR CNTRL UPDATE (MSC 
USFRID 
PATENAME) 
'updat$e will not fail! 
AT] 720% ,MSG.INST = ACK TOST 
MAIL BOX.MSG.PATHVAME ze NULL 
CATTI BOKL MSG- EILE SIZio s= NULL 
MATT HT «= READ COMPLETE 
t SET EE ©) 
GATFXEFPFR.ADTANCT (MAIL ROX, C) 
GEATEYTTPTR AWAIT MAIT Luxe C) 
ELSE 
MOON > ACX HOST 
MATE TOX.MSG.PATTNAMT := NULL 
[IT TEE REE 
ADE US SUECO CODE e RR CDD 
lerror code returned from io process! 
file rot found by io process; 
file read aborted ty write; 
file read atorted by file deletion; 
emda paczet received! 
A E ICA SQ) 
GATPRET TOR, ADVANOT “MATS BCX, C) 
CATEL Ee R AWAIT (MAIL BOX, €. (t+2)) 


TO st 


t+2)) 


MAIBRBOR.MSGSINST <= “Ck ACT 
AI Moc he Nee > ENDET 
EE CIS PEE sr ¿= NULL 
“erT BO MSS UCC COD Er OR CODE EE CODE) 
Ifile not found: 
read access to file not permitted! 
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D UT S XP he eer (MAT 
GATPZEPPTR, INVYINCE (MATL RO 
GATEEETPER.AWAIT (MAIL 30x, 
FI 
FLST 
IF FILE TYPE = DIRECTORY 
THEN 
Mën r= R iD DIR 
EES 
USTRID 
PATUNA 
NULL ! 
NULL ! 
oz! 
NULL) 


returns dir suce. code: 
PADRES US: CONS PREIS 
THEN 
MATL LTBOX: MST 
MATCE ROT MS: 
MATE POKS SG- EILE SIZE 
MEIL ROX.MSG.SUGC CODE 
!air data transfered from 
ackrnnwlelzemert sent! 
T GATEXEEPERP.TICZET "NM 
GATPETTDOR IANVAINCY 


NS 
o 


CY 


= 


— 

— 

— 
= 


"MAIL ROX, 


Deo se) 


EC 


A 


eet 


ME) 

file_ type! 
access level: 
link! 

faci entry! 


HOST 
NULL 

NULL 

E EEN 
lir buffer; 


STIL BOX C) 
C) 


GATERZUPIS .AWAIT /MAIL_BOX, €, (t+2)) 


ELSE 
MTL POkeMca s INGE «<= ACY UOST 
MAIL BOX.MSG.PATZNAME :- NULL 
MAIL 80X.MSG.TILE SIZE := NULL 
M DEPO sn. sun Bann >= PRPRON CODS (3I3 SUCO.COP") 


ldirectory not faurd, 
read access to directory 


not permitted! 


&o'- RATUXTUDTR.TICKTFT “MATL TOR, ©) 
GATEXESPER.ADVANCS {MAIL 30X, C) 
GATEVESPEP AWAIT (Melt BOX, C, (t+2)) 
FI 
ELSE 
MSG := FES) ENTRY DATA 
DIR CNTRL_ DIRECTORY (MSG 
USERID 
PATHN AME 
NULL !file_type! 
NULL 'access level! 
NULL !lin! 
NULL la ciente y! 


Euch MU DNE UCC COTE] 
DRCDDIPESSUDCSCODE — TRUE 
TUN 
MAIL BOX. 
MATL BOX. 
GI ee Ore 
"AIL BOX. 


MSG .INST 
MSG .PATHNAME 

MSG.FILP SIZ? 
MS4.SUCC_CODE 


— 
— 
a 
— 
— 


See 


:= ACK HOST 


NULL 
NULL 
ENT2Y READ CCM?L 


E 


Ta 





eoe a a Tans Ered from dir buffer, 
acknowledgement sent! 
A O MATE BCX, C) 
GATEKETPFR.ADVANCF “MAIL BOX, C) 
O A A a 

A E 
MAIL POX.MSG.INST := &^6X YOST 
MAIL_BCX.MSG.PATHNAME <= NULL 
MAIL BOX.MSG.FILE SIZE :- NULL 
MATL POX .MSG.SUCC CONT := ERROR CODT (DIR_SUCC_COT?T) 
file not found} read access to file not permitted! 
t := GATRETEPER.TICIET (MAIL BOX, C) 
CATPEPEDOR ANVANCT (MAIL BOX, C) 
GATEEKXEPES.AVAIT (MAIL SOX, C, ıt+2)) 


GI 


FI 


END FM CMD_HND ZE4D FILE 
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FM CMD END STOR* "ILE PROCETUREZ 
INTEY 
voce STOR TILT 
DIR_CNTRL_DATA (MSG 
USEZID 
PATINAMT 
FILE SIZE) 
'returns dir pathname; dir succ ccde! 
IF DIR_SUCC_“CT? = TRUE 
THEN 
MAIL BOX.MSG.INST := STORE FILE 
MATL _POX.MST.PATHNAMT += DIR _PATENAMF 
EOI MSG FILS Size ts TILI SIZE 
MATT BOX.MSS.SUCC CODE := NULL 
t := GATTETEPTR TICKET (MATL BOX, ^) 
GATEKEEPER ADVANCE (MAIL 20X, C) 
GATEK*EPER,^W*sIT (MAIL BOX, C, (*t«2)) 
a aa e suec nop = TRUT 
TEZN 
MSG :- UPDATES STORE 
DIR CNTRL UPDATT Imst 
g g USERID 
PATENAME) 
fupdate will not fail! 
MAIL 30X.MSG.INST := ACK ROST 
MAIL BOX.MSG.PATENAME :- NULL 
MAIL BOX.MSG.FILF SIZF t- NULL 
A EECHER 
t := GATECEEDPS TICKET (MSIL 20x, C) 
GATTRTFDTR ADYANCT (MATL POX, C) 
GATEKETPER.AWAIT (MAIL 3CX, C, (t-2)) 
ELSE 
A Mece list >= Are COST 
MAIL BOX.MSG.PATEN4ME s= NULL 
MAIL ROK. MSC. PIL? SITZ? NULL 
MAIL BCX.MSG.SUCC COL? MAIL 30X.MS%.SUCC_CODE 
error returred from lo process; 
cmd packet received: improper number of data vacxets! 
t :- CATEKEEZPZS.TICFET (MAIL BOX, C) 
GATEKEFPER.*'DVANCE 'M3iIL BOX, C) 
GATRETTPTR,'WAIT (MATL POX, C, (t+2)) 
FI 
ELSE 
MATL BOX.MSS.INST := àCK HOST 
MAIL BOX.MSt.PATRNAME := NULL 
MAIL BOX.MSG.FILE SIZE := NULL 
MAIL POX.MSG.SUCC CODY :- VRROR COD? (DIR SUCC COD) 
file not frurds write access to file not permitted! 
t :- GATEKETPEL.TICETPT ÍMA^IL BOX, C) 
GATTETEPTR.ANnySnr® (MAIL ROY, 1) 
GATEXEEPED AWAIT (MAIL ?CX, C, (t*2)) 
FI 
PND FM CMD END STOR? FILF 


Ve 





E ek e EL PROS ena? 
ENTRY 
MSG := READ ACL 
DIR_CNTRL_DIR*CTORY (MSG 
Vos kD 
PATHNAMF 
NULL !file type! 
NULL faccess level! 
MULE ob ie ea! 
NULL) !acl entry! 
treturns dir suce code! 
IF DIR SUCC COD? - TEUZ 
TTEN 
MATTE BOX. MSG.INST z= 1CK_ROST 
MATL BOX.MSG.PS5THENAME :- NULL 
EE POKS MSSL FILH SIZ? += NULL 
LBO MSC. SUCC COLT := ACL EEN 
tacl data transfered fron acl buffers; 
host acknowledgement sent! 
MEACCECNMPSKENUESCPIORREP “MAIL 30X, C) 
GATEXEFPEF.'DVAiNCE (MIL BCX, C) 
ODO PEDO Sy TT (MATL ROX, C. [t«2)) 


EC EE 0 POST 
IL ROX.MSG.PIıTENAMT <= NULL 
Eeer NULL 
OS UCC CODE = F IOn CODE (DIR SUCC CODE) 
Mateo count, fread access to directory file 
not permitted! 
(OOGATEKEFPES.TICEFT (MAIL St Di 

C 

( 


t 


ATTKFTPTR,ANVANTT (MATL POX, 
ATEKETPER.AWAIT (MAIL BOX, C, 


£23 ui cT 


t+2)) 
FI 
END FM_CMD_AND_STAn 6L 
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FM CMD_END_ADD_ACL_ FNTRY PROCELURT 
ENTRY 
NS ADD ACL ENTSY 
DUREN TAL DIR TATORT (MSG 
USERID 
PATENAME 
NULL !file type! 
NULL !access level! 
NULL !link! 
ACL_"TNTAY) 
freturns dir_succ_code! 
IF DIE _SUCC_ CODE = TEUE 
TI TN 
Wome BOX MSG. INST := "AO KOST 
MAIL BOX.MSG.PATHNAME += NULL 
Peete POR SMS ..FILE Shae -= NULL 
uuo MSOSUDTMICEDS :— AOL ENTAY ADDED 
E ANA PERO TICA TO (MITE 30%, C) 
CANE PEPER ADVANT (MATL POX, 7) 
GATHAGEPER AWAIT (MAIL BOX, C, (t-2)) 
ELSE 
MATL_ROX.MSC.INST += ACK HOST 
MAIL 30X.MSG.2ATUNAMZ :- NULL 
EU BOX M CTT LE SIZE = MULL 
MATE ROK MSC. SUNG CODY := ZRNOR CODE (DIR SUCC Gong) 
UNO) Write access to nirectory 9t 
permitted; acl entry pool empty! 
t :— GaTTKvwvpPvS,TICETT MEIST POX, C) 
GATEXYVEPER.AD2VANC*Y (MAIL BOX, C) 
E Pie par, WATT (MAIL BOX. C. (t*2)) 
I 


END FM CMD ENT ATT AGL ZNTRY 





CON OCP LATS ACL Sviat P2eCeouUak 
E Y 
er OSES Ts 80h VNTRT 
AIN IDO TAE CTO ASE 
US 
Perna 
NIEREN eye 
NULL 'acoess level! 
NULL !lirx! 
ACL_ENTRY) 
wears dir suce code! 
RUCE COTE = TRUF 
TEEN 
TE BOL MSC- INST s= CCH WOST 
BEE MSC PS TINA ME r= NULL 
PETE Pa MS TILE SIZ <= NULL 
MAME ONES SUCC CODE 1= SCL ENTPYT DELETE 


taj raj 


E NORTE? (MATT, BOX, C) 

Clee Ge PER ADVANCY (MAIL PCX; C) 

ERES NIT MATL ROX, 0, (t+2)) 
PISTE 


A. EE ek 
Eeer NUE L 
Bree Ee Ol Oe a eee oe a U SE 
EIER EES) 
la not founl; write access to directory ^ot 
permitted! 
EE RE 30x, ©) 
EE ENEE, EE €) 
GERTCKTTPTR,'WIIT (MAIL "OX, C, [(t+2)) 
FI 
DPM CMD HND DELETE ACL ENTER 


(Y HI 





FM CMD _HND APORT PEOCEDURT 
ENTRY 
MSG := APORT 
DP OCNTRE UPDATES (MSG 
USTPIN 
PATENAME) 
store crd needs tn free temporary file! 
MAIL ROX.MST.INST := ACK TOST 
MAIL 30X.MSG.PATHNAME :- NULL 
MTB -BOX.MSG.FILE SIZY := NULL 
AI SS UCA CONT :— D HIE 0 7 
NAS TICKET (MAIL SOX. C) 
GATEKETDPER. ADVANCE (MATL BROX, C) 
ETER WaT (MAIL FOY, C, *t+2)) 
END FM CMD HEN? A303T B 


END FM COMMAND EANDLER 





IC_COMMANT HANDLER MODULE 


EXTERN¿L 
PK UND STORF PROCTDURE 'ST*5 4 LWORD 
an numo mumbercorob5r:ts! 
RETURNS (PX_SUCC_CODF EEN 
PX_HND_SFEND PROCPTOURE (S7G_ 4 LY ORD 
STE Lp mumoer cof bits! 
RSTUENS. “PX SUCE ZONE RYTF) 


?X HNT ACK HOST PRCCEDUPE (™S4 BYTE) 


! xj 


wi 


I 


SNC SSENO EILZ DROCENURT LPATAN MT STRING 
ERS FILE SUCC CODR 3YTE) 


Li rg 


a 


FILE _HND STOFE FILE PROCEDURE (PATHNAME STEING) 
Bees (FILE SUCC CODE 3YTE) 


INTERNAL 


IO CMD END PROFTNURT 
ENTRY ^ 
EE EC EE 
BEN MATTON, 6 (11) 
DC 8 
IF MAIL BOX.MSG.INST 
CAST RPAN CMD TUTN PX IND RTAD CMD 
CASS ACH HOST TERN PX HND ACK EOST 
RRE Ser cle Glcp) 
CAST SEND PIL? THEN TILT RND IAD FILE 
(MAIL 3CX.MSG.PATUHNAME 
EC RE 
FEST STORFT FILE THTN TILT ND STORF FILF 
'VMAIL_BOX.MSG.>ATANAME 
MAIS BOX.MSG.FILE SIZE) 


\ 


"I 
AE BOX, C) 
ADVANCE (MATL BOX, C) 
T A ROX, C pm) 
CD 
END [0 CMD END 


Ep LC COMMAND TANDLER 
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